Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:ad_groups_sync [2021/01/15 13:45]
stekld 		tutorial:adm:ad_groups_sync [2021/03/04 11:02]
apeterova typos
Line 42: Line 42:
   * **Principal password** - password of the "principal" account   * **Principal password** - password of the "principal" account
   * **Root suffixes** - there should be DNs of **Base contexts**, groups outside of these "paths" will be ignored. Content of **Root suffixes** could be same as **Base contexts** or just put in domain.   * **Root suffixes** - there should be DNs of **Base contexts**, groups outside of these "paths" will be ignored. Content of **Root suffixes** could be same as **Base contexts** or just put in domain.
-  * **Entry object classes** - List of all objectClasses groups have in AD. It is necessary to find just groups. With wrong settings, it could find even users. +  * **Entry object classes** - List of all objectClasses groups have in AD. It is necessary to find just groups. With wrong settings, it could find even users. Usual values: top, group (every value on a single line) 
-  * **Group search scope** - Choose object, onlevel or subtree. It means where it will search for groups. As a **subtree**, a search will start on paths in **Base context** and it will search in every **Organization Unit** in this path. **onlevel** will search just one **OU**, where distinguished names of **Base context** points to and the last **object** means, in **Base context** there are DNs of groups we want to synchronize. +  * **Group search scope** - Default subtree. Options: object, onelevel or subtree, however, all behave the same on the current version. It means where it will search for groups. As a **subtree**, a search will start on paths in **Base context** and it will search in every **Organization Unit** in this path. **onelevel** ("onlevel" is a typo) will search just one **OU**, where distinguished names of **Base context** points to and the last **object** means, in **Base context** there are DNs of groups we want to synchronize. 
-  * **Custom group search filter** - this enables additional filter for groups, which will be searched for. You can use it e.g. to filter out roles with some specific substrings in their CN by using LDAP filter ''(&(!(cn=\*Administrator\*))(!(cn=\*Auditor\*)))''+  * **Custom group search filter** - this enables additional filter for groups, which will be searched for. You can use it e.g. to filter out roles with some specific substrings in their CN by using LDAP filter ''(&(!(cn=\*Administrator\*))(!(cn=\*Auditor\*)))''. However, you can't use a filter by whole distinguishedName.
   * **Base contexts for group entry searches** - list of distinguished names (paths), where it will search for groups.   * **Base contexts for group entry searches** - list of distinguished names (paths), where it will search for groups.
   * **Group members reference attribute** - a name of the attribute, which indicates membership. It contains whole DNs of users.   * **Group members reference attribute** - a name of the attribute, which indicates membership. It contains whole DNs of users.
   * **useVlvControls** - have to be enabled - this is only supported option   * **useVlvControls** - have to be enabled - this is only supported option
   * **pageSize** - number, it should be lower than maximum page size limit in AD, which is by default 1000. Recommended: 100.   * **pageSize** - number, it should be lower than maximum page size limit in AD, which is by default 1000. Recommended: 100.
-  * **vlvSortAttribute** - this should be identifier with sorting properties. Recommended for groups is cn. **DO NOT** user **distinguishedName** or any other unindexed attribute or you'll end up with "[LDAP: error code 12 - 0000217A: SvcErr: DSID-03140414, problem 5010 (UNAVAIL_EXTENSION), data 0];" error!+  * **vlvSortAttribute** - this should be identifier with sorting properties. Recommended for groups is cn. **DO NOT** use **distinguishedName** or any other unindexed attribute or you'll end up with "[LDAP: error code 12 - 0000217A: SvcErr: DSID-03140414, problem 5010 (UNAVAIL_EXTENSION), data 0];" error!
   * **Uid Attribute for groups** - unique identifier, recommended is objectGUID.   * **Uid Attribute for groups** - unique identifier, recommended is objectGUID.
   * **Object classes to synchronize** - Based on this filled object classes, groups to synchronized will be found. Content is usually same as **Entry object classes**.   * **Object classes to synchronize** - Based on this filled object classes, groups to synchronized will be found. Content is usually same as **Entry object classes**.
Line 86: Line 86:
 | Attribute in schema | Name               | Attribute          | IdM key            | | Attribute in schema | Name               | Attribute          | IdM key            |
 | __Name__ (__GROUP__)| Distinguished name | extended           | distinguished_name | | __Name__ (__GROUP__)| Distinguished name | extended           | distinguished_name |
-| name (__GROUP__)    | name               identifier, entity | name               |+| name (__GROUP__)    | name               | entity             | name               |
 | code (__GROUP__)    | name               | entity             | code               | | code (__GROUP__)    | name               | entity             | code               |
-| __UID__ (__GROUP__) | __UID__            |                    |                    |+| __UID__ (__GROUP__) | __UID__            | identifier         |                    |
 </code> </code>
  
Line 97: Line 97:
 {{ :tutorial:adm:wfad06.png |}} {{ :tutorial:adm:wfad06.png |}}
  
-  * Enable **Allowed** and **Reconcillation**. Fill **Name, Set of mapped attributes** and then **Correlation attribute** as  '\_\_UID\_\_'.+  * Enable **Allowed** and **Reconcilation**. Fill **Name, Set of mapped attributes** and then **Correlation attribute** as  '\_\_UID\_\_'.
   * Bellow there are 4 possibilities on state when synchronization starts (Linked, Not linked, Missing entity, Missing account).   * Bellow there are 4 possibilities on state when synchronization starts (Linked, Not linked, Missing entity, Missing account).
     * **Linked** - it's like update, group is in the AD and also in IdM, but it is possible in the AD could be some change, so usually **Action** is "Update entity"     * **Linked** - it's like update, group is in the AD and also in IdM, but it is possible in the AD could be some change, so usually **Action** is "Update entity"
Line 123: Line 123:
 remaining name 'CN=My_test_group,OU=Groups,DC=test_company,DC=local' remaining name 'CN=My_test_group,OU=Groups,DC=test_company,DC=local'
 </code> </code>
-This error means that CzechIdM can not find DisniguishedName set in assigned role for any group in Active Directory.+This error means that CzechIdM can not find DistinguishedName set in assigned role for any group in Active Directory.
 This group could be renamed, moved or deleted. This group could be renamed, moved or deleted.
-if you come across a mentioned error, just delete items in provisioning queue for users, go through the specified tutorial and resave stuck users when it's finished.+If you come across a mentioned error, just delete items in provisioning queue for users, go through the specified tutorial and resave stuck users when it's finished.
 </note> </note>
  
Line 150: Line 150:
   * Remove the role from IDM.   * Remove the role from IDM.
   * Remove group from AD.   * Remove group from AD.
-  * Go to system for AD User -> Attributes maping ->  Maping for provisioning and click on attribute **ldapGroups** -> go to tab **Controlled values** -> In section **Attributes controlled in past**, you will see the group -> delete it+  * Go to system for AD User -> Attributes mapping ->  Mapping for provisioning and click on attribute **ldapGroups** -> go to tab **Controlled values** -> In section **Attributes controlled in past**, you will see the group -> delete it
  
 <note warning> <note warning>
  • by kotynekv