Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:ad_groups_sync [2019/10/24 07:29] doischert [Connector configuration] |
tutorial:adm:ad_groups_sync [2020/03/16 17:24] michalp tips for synchronization |
||
---|---|---|---|
Line 48: | Line 48: | ||
* **Group members reference attribute** - a name of the attribute, which indicates membership. It contains whole DNs of users. | * **Group members reference attribute** - a name of the attribute, which indicates membership. It contains whole DNs of users. | ||
* **useVlvControls** - have to be enabled - this is only supported option | * **useVlvControls** - have to be enabled - this is only supported option | ||
- | * **pageSize** - number, it should be greater | + | * **pageSize** - number, it should be lower than maximum page size limit in AD, which is by default 1000. Recommended: |
- | * **vlvSortAttribute** - this should be identifier with sorting properties. Recommended is sAMAccountName. | + | * **vlvSortAttribute** - this should be identifier with sorting properties. Recommended |
* **Uid Attribute for groups** - unique identifier, recommended is objectGUID. | * **Uid Attribute for groups** - unique identifier, recommended is objectGUID. | ||
* **Object classes to synchronize** - Based on this filled object classes, groups to synchronized will be found. Content is usually same as **Entry object classes**. | * **Object classes to synchronize** - Based on this filled object classes, groups to synchronized will be found. Content is usually same as **Entry object classes**. | ||
- | <note tip> | + | <note tip> |
+ | |||
+ | <note tip> In user provisioning system' | ||
+ | <note tip> In user provisioning system' | ||
===== Connector' | ===== Connector' | ||
Line 90: | Line 94: | ||
{{ : | {{ : | ||
- | ===== Synchronization ===== | + | ===== Synchronization |
At this point configuring of synchronization is complete. Save this synchronization and run it. It should smoothly create a catalog, new roles and maybe even some automatic roles. If provisioning of memberships will fail do not forget to try " | At this point configuring of synchronization is complete. Save this synchronization and run it. It should smoothly create a catalog, new roles and maybe even some automatic roles. If provisioning of memberships will fail do not forget to try " | ||
- | <note tip> | + | |
- | < | + | ==== Editing groups in Active Directory ==== |
+ | CzechIdM managing membership of users in Active Directory groups, editing of groups is controlled by administrators directly in AD. | ||
+ | |||
+ | |||
+ | |||
+ | <note tip>Synchronization must be started after each time you **rename** a group or **move** group to another organization unit. | ||
+ | Otherwise provisioning of any user who is a member of the modified group will fail with following error in provisioning | ||
+ | |||
+ | < | ||
+ | org.identityconnectors.framework.common.exceptions.ConnectorException: | ||
+ | [LDAP: error code 32 - 0000208D: NameErr: DSID-03100288, | ||
+ | remaining name ' | ||
+ | </ | ||
+ | Another option for this error is that you **deleted** group from AD or you **moved** it from IDM scope, but some users still have role from this group. | ||
+ | This error means that CzechIdM can not find DisniguishedName set in assigned role for any group in Active Directory. | ||
+ | This group could be renamed, moved (within IDM scope or not), or deleted. | ||
+ | </ | ||
+ | |||
+ | |||
+ | < | ||
===== Tips ===== | ===== Tips ===== | ||
+ | |||
+ | ==== HOW EDIT, MOVE OD DELETE GROUP IN ACTIVE DIRECTORY ==== | ||
+ | |||
+ | ==== CREATE NEW GROUP IN ACTIVE DIRECTORY ==== | ||
You can create a new security group in Active Directory with the Apache Directory Studio by following these steps: | You can create a new security group in Active Directory with the Apache Directory Studio by following these steps: |