Differences

This shows you the differences between two versions of the page.

--- tutorial:adm:ad_groups_sync [2020/03/16 17:24]
michalp tips for synchronization
+++ tutorial:adm:ad_groups_sync [2020/03/17 09:51]
kubicar [Connector configuration]
@@ Line 57: / Line 57: @@
 <note tip> In user provisioning system's configuration **Base context of groups** should be filled too, for correctly provisioning memberships</note>
 <note tip> In user provisioning system's schema and mapping should have attribute memberOf/ldapGroups and **Strategy** as "Merge".</note>
+<note warning>
+If there are more than 10000 groups in AD and "Base contexts for group entry searches" is set for DC=AD,DC=FIRMA,DC=CZ(root OU).
+LDAP: error code 12 - 000020EF: SvcErr: DSID-03140552, problem 5010 (UNAVAIL_EXTENSION), data 0
+workaround/solution: separate ldap search with "Base context for group entry searches" and divide it into smaller searches(each line with one OU):
+  * OU=001OU,OU=FIRMA,DC=ad,DC=FIRMA,DC=cz
+  * OU=002OU,OU=FIRMA,DC=ad,DC=FIRMA,DC=cz
+  * OU=003OU,OU=FIRMA,DC=ad,DC=FIRMA,DC=cz
+  * OU=004OU,OU=FIRMA,DC=ad,DC=FIRMA,DC=cz
+  * OU=005OU,OU=FIRMA,DC=ad,DC=FIRMA,DC=cz
+and so on...
+</note>
@@ Line 96: / Line 108: @@
 ===== Synchronization of groups =====
 At this point configuring of synchronization is complete. Save this synchronization and run it. It should smoothly create a catalog, new roles and maybe even some automatic roles. If provisioning of memberships will fail do not forget to try "ldapGroups" attribute.
+<note tip>If you synchronize groups with resolving users membership, the connector doesn't support groups with more than 1000 members (by default). If you need more, you must (temporarily) increase MaxPageSize in the AD configuration.</note>
 ==== Editing groups in Active Directory ====
-CzechIdM managing membership of users in Active Directory groups, editing of groups is controlled by administrators directly in AD.
+CzechIdM managing membership of users in Active Directory groups, editing of groups is controlled by administrators directly in AD, you need to link these edits with IDM.
+If you will don't follow correct steps, you will end with following error in provisioning of users with incorrectly edited AD group:
-<note tip>Synchronization must be started after each time you **rename** a group or **move** group to another organization unit.
-Otherwise provisioning of any user who is a member of the modified group will fail with following error in provisioning queue.
+<note tip>
 <code>
 org.identityconnectors.framework.common.exceptions.ConnectorException: javax.naming.NameNotFoundException:
@@ Line 110: / Line 121: @@
 remaining name 'CN=My_test_group,OU=Groups,DC=test_company,DC=local'
 </code>
-Another option for this error is that you **deleted** group from AD or you **moved** it from IDM scope, but some users still have role from this group.
 This error means that CzechIdM can not find DisniguishedName set in assigned role for any group in Active Directory.
-This group could be renamed, moved (within IDM scope or not), or deleted.
+This group could be renamed, moved or deleted.
+if you come across a mentioned error, just delete items in provisioning queue for users, go through the specified tutorial and resave stuck users when it's finished.
 </note>
-<note warning>If you synchronize groups with resolving users membership, the connector doesn't support groups with more than 1000 members (by default). If you need more, you must (temporarily) increase MaxPageSize in the AD configuration.</note>
+==== 1) Rename or move group in Active Directory ====
+Synchronization must be started after each time you **rename** a group or **move** group to another organization unit.
+Otherwise provisioning of any user who is a member of the modified group will fail with following error in provisioning queue.
+==== 2) Delete group in Actvive Directory or move group from CzechIdM scope ====
-===== Tips =====
-==== HOW EDIT, MOVE OD DELETE GROUP IN ACTIVE DIRECTORY ====
+If you want to delete role or move it from IDM scope:
+  * Make sure that no users have assigned role for this group and than delete role from IDM and that role is not used as automatic role.
+  * Then you can remove group from AD and **remove role from managed attributes**.
+If you deleted groups or moved from IDM scope and you will try provisioning of users with linked role before synchronization of roles, provisionong will not be successful.
+You will recognize this situation by error mention in begining of chapeter and also if you will run synchronization of groups, in log of synchronization you will have some items in state **Missing account**.
+**To correctly remove group and role:**
+  * Open synchronization item with **Missing account** state and copy **Entity ID** from item. In most cases ID is ObjectGUID of the group.
+  * Go to **Account on system** on system for Groups and paste Entity ID into filter. By opening found item, you can see **role** for missing group.
+  * Make sure that you remove this role from all users.
+  * Remove the role from IDM.
+  * Remove group from AD.
+  * Go to system for AD User -> Attributes maping ->  Maping for provisioning and click on attribute **ldapGroups** -> go to tab **Controlled values** -> In section **Attributes controlled in past**, you will see the group -> delete it
+<note warning>
+If you will not perform last step and role was just moved from scope of IDM, because you want to manage this role without IDM -> **IDM will still remove group managed users!**
+</note>
+===== Tips =====
 ==== CREATE NEW GROUP IN ACTIVE DIRECTORY ====