Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:ad_groups_sync [2019/09/20 14:32]
regulat [Connector configuration] 		tutorial:adm:ad_groups_sync [2020/03/16 17:24]
michalp tips for synchronization
Line 48: Line 48:
   * **Group members reference attribute** - a name of the attribute, which indicates membership. It contains whole DNs of users.   * **Group members reference attribute** - a name of the attribute, which indicates membership. It contains whole DNs of users.
   * **useVlvControls** - have to be enabled - this is only supported option   * **useVlvControls** - have to be enabled - this is only supported option
-  * **pageSize** - number, it should be greater than a count of all groups on AD. +  * **pageSize** - number, it should be lower than maximum page size limit in AD, which is by default 1000. Recommended: 100
-  * **vlvSortAttribute** - this should be identifier with sorting properties. Recommended is sAMAccountName+  * **vlvSortAttribute** - this should be identifier with sorting properties. Recommended for groups is cn**DO NOT** user **distinguishedName** or any other unindexed attribute or you'll end up with "[LDAP: error code 12 - 0000217A: SvcErr: DSID-03140414, problem 5010 (UNAVAIL_EXTENSION), data 0];" error! 
-  * **Uid Attribute for groups** - unique identifier, recommended is sAMAccountName or objectGUID.+  * **Uid Attribute for groups** - unique identifier, recommended is objectGUID.
   * **Object classes to synchronize** - Based on this filled object classes, groups to synchronized will be found. Content is usually same as **Entry object classes**.   * **Object classes to synchronize** - Based on this filled object classes, groups to synchronized will be found. Content is usually same as **Entry object classes**.
  
-<note tip>**When you configure the system for the first time, root suffix should lead to the top container (e.g. DC=aktest,DC=local), so the system schema can be correctly generated**</note>+<note tip>**When you configure the system for the first time, root suffix should lead to the top container (e.g. DC=domain,DC=local), so the system schema can be correctly generated**</note> 
 + 
 +<note tip> In user provisioning system's configuration **Base context of groups** should be filled too, for correctly provisioning memberships</note> 
 +<note tip> In user provisioning system's schema and mapping should have attribute memberOf/ldapGroups and **Strategy** as "Merge".</note> 
  
 ===== Connector's mapping ===== ===== Connector's mapping =====
Line 90: Line 94:
 {{ :tutorial:adm:wfad08.png |}} {{ :tutorial:adm:wfad08.png |}}
  
-===== Synchronization =====+===== Synchronization of groups =====
 At this point configuring of synchronization is complete. Save this synchronization and run it. It should smoothly create a catalog, new roles and maybe even some automatic roles. If provisioning of memberships will fail do not forget to try "ldapGroups" attribute. At this point configuring of synchronization is complete. Save this synchronization and run it. It should smoothly create a catalog, new roles and maybe even some automatic roles. If provisioning of memberships will fail do not forget to try "ldapGroups" attribute.
-<note tip> In user provisioning system's configuration **Base context of groups** should be filled too, for correctly provisioning memberships</note> + 
-<note tipIn user provisioning system's schema and mapping should have attribute memberOf/ldapGroups and **Strategy** as "Merge".</note>+==== Editing groups in Active Directory ==== 
 +CzechIdM managing membership of users in Active Directory groups, editing of groups is controlled by administrators directly in AD. 
 + 
 + 
 + 
 +<note tip>Synchronization must be started after each time you **rename** a group or **move** group to another organization unit. 
 +Otherwise provisioning of any user who is a member of the modified group will fail with following error in provisioning queue. 
 + 
 +<code> 
 +org.identityconnectors.framework.common.exceptions.ConnectorException: javax.naming.NameNotFoundException: 
 +[LDAP: error code 32 - 0000208D: NameErr: DSID-03100288, problem 2001 (NO_OBJECT), data 0, best match of:'OU=Groups,DC=test_company,DC=local']; 
 +remaining name 'CN=My_test_group,OU=Groups,DC=test_company,DC=local' 
 +</code> 
 +Another option for this error is that you **deleted** group from AD or you **moved** it from IDM scopebut some users still have role from this group. 
 +This error means that CzechIdM can not find DisniguishedName set in assigned role for any group in Active Directory. 
 +This group could be renamed, moved (within IDM scope or not), or deleted. 
 +</note> 
 + 
 + 
 +<note warning>If you synchronize groups with resolving users membership, the connector doesn't support groups with more than 1000 members (by default). If you need more, you must (temporarily) increase MaxPageSize in the AD configuration.</note>
  
  
 ===== Tips ===== ===== Tips =====
 +
 +==== HOW EDIT, MOVE OD DELETE GROUP IN ACTIVE DIRECTORY ====
 +
 +==== CREATE NEW GROUP IN ACTIVE DIRECTORY ====
  
 You can create a new security group in Active Directory with the Apache Directory Studio by following these steps: You can create a new security group in Active Directory with the Apache Directory Studio by following these steps:
  • by kotynekv