Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:ad_groups_sync [2021/03/04 11:02] apeterova typos |
tutorial:adm:ad_groups_sync [2021/07/16 12:52] stekld [Systems - AD: Groups synchronization] |
||
---|---|---|---|
Line 2: | Line 2: | ||
This tutorial is intended as a guide for administrators that want to load AD groups into CzechIdM (either one time or as a scheduled job). | This tutorial is intended as a guide for administrators that want to load AD groups into CzechIdM (either one time or as a scheduled job). | ||
+ | |||
+ | <note important> | ||
You will learn | You will learn | ||
Line 7: | Line 9: | ||
* how to use a groups sync workflow | * how to use a groups sync workflow | ||
* how to prepare users to be able to assign them IdM roles by their AD groups | * how to prepare users to be able to assign them IdM roles by their AD groups | ||
+ | |||
===== Before you start ===== | ===== Before you start ===== | ||
- | First of all, you need to download the connector from Connid (e.g. [[http:// | ||
- | Then add the jar file into the CzechIdM folder inside the application server. In case you installed CzechIdM into tomcat by standard installation, | ||
- | <note tip>To preserve the connector | + | ==== Adding Active Directory |
- | < | + | |
- | ln -s /opt/czechidm/lib/net.tirasa.connid.bundles.ad-1.3.4.jar / | + | Since CzechIdM |
- | </ | + | |
- | </ | + | ==== System for managing AD users ==== |
+ | |||
+ | Loading AD groups to IdM is usually done when you want to manage the group membership of the AD users by IdM. So connecting the system for managing AD users is a logical step before you start to synchronize the groups. | ||
+ | |||
+ | If you followed the [[.manage_ad|tutorial for managing AD users]], you have the necessary configuration of the **AD users** system mostly prepared. Specifically: | ||
+ | * the attribute '' | ||
+ | * the attribute '' | ||
- | Then restart | + | However, it's a common request to do **initial** loading of the group membership from AD. This topic will be covered later. FIXME synchronization of AD users with mapped distinguishedName to EAV of identity, so the [[..dev: |
+ | ==== Automatic creation of automatic roles ==== | ||
- | Then with tutorial | + | The synchronization of AD groups can also create some automatic roles based on the position of the groups in AD. These are specific options of the [[..dev: |
Line 43: | Line 51: | ||
* **Root suffixes** - there should be DNs of **Base contexts**, groups outside of these " | * **Root suffixes** - there should be DNs of **Base contexts**, groups outside of these " | ||
* **Entry object classes** - List of all objectClasses groups have in AD. It is necessary to find just groups. With wrong settings, it could find even users. Usual values: top, group (every value on a single line) | * **Entry object classes** - List of all objectClasses groups have in AD. It is necessary to find just groups. With wrong settings, it could find even users. Usual values: top, group (every value on a single line) | ||
- | * **Group search scope** - Default subtree. Options: object, onelevel or subtree, however, all behave the same on the current version. It means where it will search for groups. As a **subtree**, | + | * **Group search scope** - Default subtree. Options: object, onelevel or subtree. It means where it will search for groups. As a **subtree**, |
* **Custom group search filter** - this enables additional filter for groups, which will be searched for. You can use it e.g. to filter out roles with some specific substrings in their CN by using LDAP filter '' | * **Custom group search filter** - this enables additional filter for groups, which will be searched for. You can use it e.g. to filter out roles with some specific substrings in their CN by using LDAP filter '' | ||
* **Base contexts for group entry searches** - list of distinguished names (paths), where it will search for groups. | * **Base contexts for group entry searches** - list of distinguished names (paths), where it will search for groups. | ||
Line 75: | Line 83: | ||
* Firstly in **Scheme** tab generate a schema with a green button. If there is some exception, you have probably mistake in the configuration of the connector. | * Firstly in **Scheme** tab generate a schema with a green button. If there is some exception, you have probably mistake in the configuration of the connector. | ||
- | {{ : | + | {{ : |
* Then in **Mapping** tab create new mapping - synchronization (\_\_GROUP\_\_ (Object name), Role (Entity type)). | * Then in **Mapping** tab create new mapping - synchronization (\_\_GROUP\_\_ (Object name), Role (Entity type)). | ||
- | {{ : | + | {{ : |
* Now we will map just 4 attributes. Click on green add button like on picture below and this fill in: | * Now we will map just 4 attributes. Click on green add button like on picture below and this fill in: | ||
Line 85: | Line 93: | ||
< | < | ||
| Attribute in schema | Name | Attribute | | Attribute in schema | Name | Attribute | ||
- | | __Name__ | + | | __NAME__ |
| name (__GROUP__) | | name (__GROUP__) | ||
- | | code (__GROUP__) | + | | name (__GROUP__) |
| __UID__ (__GROUP__) | __UID__ | | __UID__ (__GROUP__) | __UID__ | ||
</ | </ | ||
- | {{ : | + | {{ : |
* In **Synchronization** tab create new synchronization. | * In **Synchronization** tab create new synchronization. |