Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:ad_groups_sync [2020/03/16 22:23]
michalp finished tutorial 		tutorial:adm:ad_groups_sync [2020/11/02 12:42]
apeterova typos
Line 57: Line 57:
 <note tip> In user provisioning system's configuration **Base context of groups** should be filled too, for correctly provisioning memberships</note> <note tip> In user provisioning system's configuration **Base context of groups** should be filled too, for correctly provisioning memberships</note>
 <note tip> In user provisioning system's schema and mapping should have attribute memberOf/ldapGroups and **Strategy** as "Merge".</note> <note tip> In user provisioning system's schema and mapping should have attribute memberOf/ldapGroups and **Strategy** as "Merge".</note>
 +<note warning>
 +If there are more than 10000 groups in AD and "Base contexts for group entry searches" is set for DC=AD,DC=FIRMA,DC=CZ(root OU).
 +LDAP: error code 12 - 000020EF: SvcErr: DSID-03140552, problem 5010 (UNAVAIL_EXTENSION), data 0
 +
 +workaround/solution: separate ldap search with "Base context for group entry searches" and divide it into smaller searches(each line with one OU):
 +  * OU=001OU,OU=FIRMA,DC=ad,DC=FIRMA,DC=cz
 +  * OU=002OU,OU=FIRMA,DC=ad,DC=FIRMA,DC=cz
 +  * OU=003OU,OU=FIRMA,DC=ad,DC=FIRMA,DC=cz
 +  * OU=004OU,OU=FIRMA,DC=ad,DC=FIRMA,DC=cz
 +  * OU=005OU,OU=FIRMA,DC=ad,DC=FIRMA,DC=cz
 +and so on... 
 +</note>
  
  
Line 119: Line 131:
 Otherwise provisioning of any user who is a member of the modified group will fail with following error in provisioning queue. Otherwise provisioning of any user who is a member of the modified group will fail with following error in provisioning queue.
  
-==== 2) Delete group in Actvive Directory or move group from CzechIdM scope ====+==== 2) Delete group in Active Directory or move group from CzechIdM scope ====
  
  
 If you want to delete role or move it from IDM scope: If you want to delete role or move it from IDM scope:
-  * Make sure that no users have assigned role for this group and than delete role from IDM and that role is not used as automatic role.+  * Make sure that no users have assigned role for this group and that the role is not used as automatic role.
   * Then you can remove group from AD and **remove role from managed attributes**.   * Then you can remove group from AD and **remove role from managed attributes**.
  
-If you deleted groups or moved from IDM scope and you will try provisioning of users with linked role before synchronization of roles, provisionong will not be successful.  +If you deleted groups or moved from IDM scope and you will try provisioning of users with linked role before synchronization of roles, provisioning will not be successful.  
-You will recognize this situation by error mention in begining of chapeter and also if you will run synchronization of groups, in log of synchronization you will have some items in state **Missing account**.+ 
 +You will recognize this situation by error mentioned in the note above and also if you will run synchronization of groups, in log of synchronization you will have some items in the state **Missing account**.
  
 **To correctly remove group and role:** **To correctly remove group and role:**
  • by kotynekv