Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision Both sides next revision
tutorial:adm:ad_groups_sync [2021/03/04 11:38]
apeterova fixed screenshots 		tutorial:adm:ad_groups_sync [2021/03/11 19:24]
apeterova corrections - old AD connector, info about AD users
Line 9: Line 9:
  
 ===== Before you start ===== ===== Before you start =====
-First of all, you need to download the connector from Connid (e.g. [[http://repo1.maven.org/maven2/net/tirasa/connid/bundles/net.tirasa.connid.bundles.ad/1.3.4/net.tirasa.connid.bundles.ad-1.3.4.jar| Connid AD bundle 1.3.4 jar file]]). 
-Then add the jar file into the CzechIdM folder inside the application server. In case you installed CzechIdM into tomcat by standard installation, the path would be ''/opt/tomcat/current/webapps/idm/WEB-INF/lib/'' 
  
-<note tip>To preserve the connector during future upgrades of CzechIdM core, put the connector in e.g. /opt/czechidm/lib/ and create symbolic link in the CzechIdM webapp folder: +==== Adding Active Directory connector ====
-<code> +
-ln -s /opt/czechidm/lib/net.tirasa.connid.bundles.ad-1.3.4.jar /opt/tomcat/current/webapps/idm/WEB-INF/lib/net.tirasa.connid.bundles.ad-1.3.4.jar +
-</code> +
-</note>+
  
-Then restart the application serverIf you had CzechIdM already running in the web browserrefresh also the web browser window (e.gCtrl+F5).+Since CzechIdM 9.2, the [[https://github.com/bcvsolutions/ad-connector|forked ConnId AD connector]] is bundled inside CzechIdM by defaultYou can use it out of hand.
  
 +==== System for managing AD users ====
  
-Then with tutorial [[.eav|]], you should create EAVs for IdmTreeNode, IdmIdentity and IdmIdentityContract, so this EAVs can be used to create automatic roles. IdmTreeNode for an automatic role by organization and the others for an automatic role by attributes.+Loading AD groups to IdM is usually done when you want to manage the group membership of the AD users by IdM. So connecting the system for managing AD users is a logical step before you start to synchronize the groups. 
 + 
 +If you followed the [[.manage_ad|tutorial for managing AD users]], you have the necessary configuration of the **AD users** system mostly prepared. Specifically: 
 +  * the attribute ''Base contexts for group entry searches'' contains all containers in AD where the groups are located. (Or it's empty and ''Root suffixes'' cover all those containers.) 
 +  * the attribute ''ldapGroups'' is set in the connector configuration, in the schema and in the provisioning mapping with the MERGE strategy 
 + 
 +However, it's a common request to do **initial** loading of the group membership from AD. This topic will be covered later. FIXME synchronization of AD users with mapped distinguishedName to EAV of identity, so the [[..dev:ad_groups_sync_workflow|groups synchronization workflow]] can resolve membership. 
 + 
 +==== Automatic creation of automatic roles ==== 
 + 
 +The synchronization of AD groups can also create some automatic roles based on the position of the groups in AD. These are specific options of the [[..dev:ad_groups_sync_workflow|groups synchronization workflow]] and it's not often used for typical setup. Howeverif you want to use it, make sure to create [[.eav|EAVs]] for IdmTreeNode, IdmIdentity and IdmIdentityContract, so this EAVs can be used to create automatic roles. IdmTreeNode for an automatic role by organization and the others for an automatic role by attributes.
  
  
Line 43: Line 48:
   * **Root suffixes** - there should be DNs of **Base contexts**, groups outside of these "paths" will be ignored. Content of **Root suffixes** could be same as **Base contexts** or just put in domain.   * **Root suffixes** - there should be DNs of **Base contexts**, groups outside of these "paths" will be ignored. Content of **Root suffixes** could be same as **Base contexts** or just put in domain.
   * **Entry object classes** - List of all objectClasses groups have in AD. It is necessary to find just groups. With wrong settings, it could find even users. Usual values: top, group (every value on a single line)   * **Entry object classes** - List of all objectClasses groups have in AD. It is necessary to find just groups. With wrong settings, it could find even users. Usual values: top, group (every value on a single line)
-  * **Group search scope** - Default subtree. Options: object, onelevel or subtree, however, all behave the same on the current version. It means where it will search for groups. As a **subtree**, a search will start on paths in **Base context** and it will search in every **Organization Unit** in this path. **onelevel** ("onlevel" is a typo) will search just one **OU**, where distinguished names of **Base context** points to and the last **object** means, in **Base context** there are DNs of groups we want to synchronize.+  * **Group search scope** - Default subtree. Options: object, onelevel or subtree. It means where it will search for groups. As a **subtree**, a search will start on paths in **Base context** and it will search in every **Organization Unit** in this path. FIXME All behave the same on the current version, so other options can't be used: <del>**onelevel** ("onlevel" is a typo) will search just one **OU**, where distinguished names of **Base context** points to and the last **object** means, in **Base context** there are DNs of groups we want to synchronize.</del>
   * **Custom group search filter** - this enables additional filter for groups, which will be searched for. You can use it e.g. to filter out roles with some specific substrings in their CN by using LDAP filter ''(&(!(cn=\*Administrator\*))(!(cn=\*Auditor\*)))''. However, you can't use a filter by whole distinguishedName.   * **Custom group search filter** - this enables additional filter for groups, which will be searched for. You can use it e.g. to filter out roles with some specific substrings in their CN by using LDAP filter ''(&(!(cn=\*Administrator\*))(!(cn=\*Auditor\*)))''. However, you can't use a filter by whole distinguishedName.
   * **Base contexts for group entry searches** - list of distinguished names (paths), where it will search for groups.   * **Base contexts for group entry searches** - list of distinguished names (paths), where it will search for groups.
  • by kotynekv