Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | Next revision Both sides next revision | ||
tutorial:adm:ad_groups_sync [2021/03/04 11:38] apeterova fixed screenshots |
tutorial:adm:ad_groups_sync [2021/03/11 19:24] apeterova corrections - old AD connector, info about AD users |
||
---|---|---|---|
Line 9: | Line 9: | ||
===== Before you start ===== | ===== Before you start ===== | ||
- | First of all, you need to download the connector from Connid (e.g. [[http:// | ||
- | Then add the jar file into the CzechIdM folder inside the application server. In case you installed CzechIdM into tomcat by standard installation, | ||
- | <note tip>To preserve the connector | + | ==== Adding Active Directory |
- | < | + | |
- | ln -s / | + | |
- | </ | + | |
- | </ | + | |
- | Then restart the application server. If you had CzechIdM already running in the web browser, refresh also the web browser window (e.g. Ctrl+F5). | + | Since CzechIdM 9.2, the [[https:// |
+ | ==== System for managing AD users ==== | ||
- | Then with tutorial [[.eav|]], you should | + | Loading AD groups to IdM is usually done when you want to manage the group membership of the AD users by IdM. So connecting the system for managing AD users is a logical step before you start to synchronize the groups. |
+ | |||
+ | If you followed the [[.manage_ad|tutorial | ||
+ | * the attribute '' | ||
+ | * the attribute '' | ||
+ | |||
+ | However, it's a common request to do **initial** loading of the group membership from AD. This topic will be covered later. FIXME synchronization of AD users with mapped distinguishedName to EAV of identity, so the [[..dev: | ||
+ | |||
+ | ==== Automatic creation of automatic roles ==== | ||
+ | |||
+ | The synchronization of AD groups can also create some automatic roles based on the position of the groups in AD. These are specific options of the [[..dev: | ||
Line 43: | Line 48: | ||
* **Root suffixes** - there should be DNs of **Base contexts**, groups outside of these " | * **Root suffixes** - there should be DNs of **Base contexts**, groups outside of these " | ||
* **Entry object classes** - List of all objectClasses groups have in AD. It is necessary to find just groups. With wrong settings, it could find even users. Usual values: top, group (every value on a single line) | * **Entry object classes** - List of all objectClasses groups have in AD. It is necessary to find just groups. With wrong settings, it could find even users. Usual values: top, group (every value on a single line) | ||
- | * **Group search scope** - Default subtree. Options: object, onelevel or subtree, however, all behave the same on the current version. It means where it will search for groups. As a **subtree**, | + | * **Group search scope** - Default subtree. Options: object, onelevel or subtree. It means where it will search for groups. As a **subtree**, |
* **Custom group search filter** - this enables additional filter for groups, which will be searched for. You can use it e.g. to filter out roles with some specific substrings in their CN by using LDAP filter '' | * **Custom group search filter** - this enables additional filter for groups, which will be searched for. You can use it e.g. to filter out roles with some specific substrings in their CN by using LDAP filter '' | ||
* **Base contexts for group entry searches** - list of distinguished names (paths), where it will search for groups. | * **Base contexts for group entry searches** - list of distinguished names (paths), where it will search for groups. |