Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
tutorial:adm:ad_groups_sync [2021/03/11 19:24] apeterova corrections - old AD connector, info about AD users |
tutorial:adm:ad_groups_sync [2024/02/16 15:31] (current) kotynekv [Connector configuration] msDS-parentdistname info |
||
---|---|---|---|
Line 3: | Line 3: | ||
This tutorial is intended as a guide for administrators that want to load AD groups into CzechIdM (either one time or as a scheduled job). | This tutorial is intended as a guide for administrators that want to load AD groups into CzechIdM (either one time or as a scheduled job). | ||
- | You will learn | + | <note important> |
+ | |||
+ | You will learn | ||
* how to connect an AD system for groups synchronization | * how to connect an AD system for groups synchronization | ||
* how to use a groups sync workflow | * how to use a groups sync workflow | ||
Line 18: | Line 21: | ||
Loading AD groups to IdM is usually done when you want to manage the group membership of the AD users by IdM. So connecting the system for managing AD users is a logical step before you start to synchronize the groups. | Loading AD groups to IdM is usually done when you want to manage the group membership of the AD users by IdM. So connecting the system for managing AD users is a logical step before you start to synchronize the groups. | ||
- | If you followed the [[.manage_ad|tutorial for managing AD users]], you have the necessary configuration of the **AD users** system mostly prepared. Specifically: | + | If you followed the [[.:manage_ad|tutorial for managing AD users]], you have the necessary configuration of the **AD users** |
- | * the attribute '' | + | |
- | * the attribute '' | + | |
- | However, it's a common request to do **initial** loading of the group membership from AD. This topic will be covered later. FIXME synchronization of AD users with mapped distinguishedName to EAV of identity, so the [[..dev: | + | |
+ | * the attribute '' | ||
- | ==== Automatic creation | + | However, it's a common request to do **initial** |
- | The synchronization | + | ==== Automatic creation |
+ | The synchronization of AD groups can also create some automatic roles based on the position of the groups in AD. These are specific options of the [[..: | ||
===== Create system ===== | ===== Create system ===== | ||
- | * Go to **Systems** in the left menu and then click on **Add**. | + | * Go to **Systems** |
- | {{ : | + | {{ .: |
* Fill in name of a system. And click on **Save and continue**. | * Fill in name of a system. And click on **Save and continue**. | ||
- | * In tab **Configuration** choose AD connector (net.tirasa.connid.bundles.ad.ADConnector) | + | * In tab **Configuration** |
- | {{ : | + | {{ .: |
===== Connector configuration ===== | ===== Connector configuration ===== | ||
+ | |||
On this page fill in these important values: | On this page fill in these important values: | ||
- | * **Server hostname** - IP address of ad server or hostname | ||
- | * **Server port** - on this port will server listen | ||
- | * **Principal** - with this username connector will connect to the AD system, this user has to have enough rights to reads groups | ||
- | * **Principal password** - password of the " | ||
- | * **Root suffixes** - there should be DNs of **Base contexts**, groups outside of these " | ||
- | * **Entry object classes** - List of all objectClasses groups have in AD. It is necessary to find just groups. With wrong settings, it could find even users. Usual values: top, group (every value on a single line) | ||
- | * **Group search scope** - Default subtree. Options: object, onelevel or subtree. It means where it will search for groups. As a **subtree**, | ||
- | * **Custom group search filter** - this enables additional filter for groups, which will be searched for. You can use it e.g. to filter out roles with some specific substrings in their CN by using LDAP filter '' | ||
- | * **Base contexts for group entry searches** - list of distinguished names (paths), where it will search for groups. | ||
- | * **Group members reference attribute** - a name of the attribute, which indicates membership. It contains whole DNs of users. | ||
- | * **useVlvControls** - have to be enabled - this is only supported option | ||
- | * **pageSize** - number, it should be lower than maximum page size limit in AD, which is by default 1000. Recommended: | ||
- | * **vlvSortAttribute** - this should be identifier with sorting properties. Recommended for groups is cn. **DO NOT** use **distinguishedName** or any other unindexed attribute or you'll end up with " | ||
- | * **Uid Attribute for groups** - unique identifier, recommended is objectGUID. | ||
- | * **Object classes to synchronize** - Based on this filled object classes, groups to synchronized will be found. Content is usually same as **Entry object classes**. | ||
+ | * **Server hostname** | ||
+ | * **Server port** | ||
+ | * **Principal** | ||
+ | * **Principal password** | ||
+ | * **Root suffixes** | ||
+ | * **Entry object classes** | ||
+ | * **Group search scope** | ||
+ | * **Custom group search filter** | ||
+ | * **Base contexts for group entry searches** | ||
+ | * **Group members reference attribute** | ||
+ | * **useVlvControls** | ||
+ | * **pageSize** | ||
+ | * **vlvSortAttribute** | ||
+ | * **Uid Attribute for groups** | ||
+ | * **Object classes to synchronize** | ||
<note tip> | <note tip> | ||
- | <note tip> In user provisioning system' | + | <note tip> In user provisioning system' |
- | <note tip> In user provisioning system' | + | |
- | <note warning> | + | |
- | If there are more than 10000 groups in AD and "Base contexts for group entry searches" | + | |
- | LDAP: error code 12 - 000020EF: SvcErr: DSID-03140552, | + | |
workaround/ | workaround/ | ||
+ | |||
* OU=001OU, | * OU=001OU, | ||
* OU=002OU, | * OU=002OU, | ||
Line 73: | Line 74: | ||
* OU=005OU, | * OU=005OU, | ||
- | Another way to solve this problem is by using " | + | Another way to solve this problem is by using " |
- | </ | + | |
===== Connector' | ===== Connector' | ||
- | * Firstly in **Scheme** tab generate a schema with a green button. If there is some exception, you have probably mistake in the configuration of the connector. | ||
- | {{ : | + | * Firstly in **Scheme** |
- | * Then in **Mapping** tab create new mapping | + | {{ .:systems_-_ad: |
- | {{ : | + | * Then in **Mapping** |
- | * Now we will map just 4 attributes. Click on green add button like on picture below and this fill in: | + | {{ |
+ | * Now we will map just 4 attributes. Click on green add button like on picture below and this fill in: | ||
< | < | ||
+ | |||
| Attribute in schema | Name | Attribute | | Attribute in schema | Name | Attribute | ||
| __NAME__ (__GROUP__)| DN(__NAME__) | | __NAME__ (__GROUP__)| DN(__NAME__) | ||
| name (__GROUP__) | | name (__GROUP__) | ||
| name (__GROUP__) | | name (__GROUP__) | ||
- | | __UID__ (__GROUP__) | __UID__ | + | | __UID__ (__GROUP__) | __UID__ |
</ | </ | ||
- | {{ : | + | {{ .: |
- | * In **Synchronization** tab create new synchronization. | + | * In **Synchronization** |
- | {{ : | + | {{ .: |
- | * Enable **Allowed** and **Reconcilation**. Fill **Name, Set of mapped attributes** and then **Correlation attribute** | + | * Enable **Allowed** |
* Bellow there are 4 possibilities on state when synchronization starts (Linked, Not linked, Missing entity, Missing account). | * Bellow there are 4 possibilities on state when synchronization starts (Linked, Not linked, Missing entity, Missing account). | ||
- | | + | |
- | * **Not Linked** - this means the group is in the AD and also in IdM, but in IdM was not created by synchronization, | + | * **Not Linked** |
- | * **Missing entity** - in other words - create action - group is in the AD, but in IdM it is not. It could be newly created in the AD, so it is not yet in IdM or it could be already erased in IdM. But this situation only supports " | + | * **Missing entity** |
- | * **Missing account** - or " | + | * **Missing account** |
- | * In each of these possibilities there is a select box " | + | * In each of these possibilities there is a select box " |
- | {{ : | + | {{ .: |
- | {{ : | + | |
===== Synchronization of groups ===== | ===== Synchronization of groups ===== | ||
+ | |||
At this point configuring of synchronization is complete. Save this synchronization and run it. It should smoothly create a catalog, new roles and maybe even some automatic roles. If provisioning of memberships will fail do not forget to try " | At this point configuring of synchronization is complete. Save this synchronization and run it. It should smoothly create a catalog, new roles and maybe even some automatic roles. If provisioning of memberships will fail do not forget to try " | ||
Line 119: | Line 121: | ||
==== Editing groups in Active Directory ==== | ==== Editing groups in Active Directory ==== | ||
- | CzechIdM managing membership of users in Active Directory groups, editing of groups is controlled by administrators directly in AD, you need to link these edits with IDM. | + | |
- | If you will don't follow correct steps, you will end with following error in provisioning of users with incorrectly edited AD group: | + | CzechIdM managing membership of users in Active Directory groups, editing of groups is controlled by administrators directly in AD, you need to link these edits with IDM. If you will don't follow correct steps, you will end with following error in provisioning of users with incorrectly edited AD group: |
<note tip> | <note tip> | ||
< | < | ||
+ | |||
org.identityconnectors.framework.common.exceptions.ConnectorException: | org.identityconnectors.framework.common.exceptions.ConnectorException: | ||
[LDAP: error code 32 - 0000208D: NameErr: DSID-03100288, | [LDAP: error code 32 - 0000208D: NameErr: DSID-03100288, | ||
remaining name ' | remaining name ' | ||
+ | |||
</ | </ | ||
- | This error means that CzechIdM can not find DistinguishedName set in assigned role for any group in Active Directory. | ||
- | This group could be renamed, moved or deleted. | ||
- | If you come across a mentioned error, just delete items in provisioning queue for users, go through the specified tutorial and resave stuck users when it's finished. | ||
- | </ | ||
+ | This error means that CzechIdM can not find DistinguishedName set in assigned role for any group in Active Directory. This group could be renamed, moved or deleted. If you come across a mentioned error, just delete items in provisioning queue for users, go through the specified tutorial and resave stuck users when it's finished. </ | ||
==== 1) Rename or move group in Active Directory ==== | ==== 1) Rename or move group in Active Directory ==== | ||
- | Synchronization must be started after each time you **rename** a group or **move** group to another organization unit. | + | |
- | Otherwise provisioning of any user who is a member of the modified group will fail with following error in provisioning queue. | + | Synchronization must be started after each time you **rename** |
==== 2) Delete group in Active Directory or move group from CzechIdM scope ==== | ==== 2) Delete group in Active Directory or move group from CzechIdM scope ==== | ||
- | |||
If you want to delete role or move it from IDM scope: | If you want to delete role or move it from IDM scope: | ||
+ | |||
* Make sure that no users have assigned role for this group and that the role is not used as automatic role. | * Make sure that no users have assigned role for this group and that the role is not used as automatic role. | ||
* Then you can remove group from AD and **remove role from managed attributes**. | * Then you can remove group from AD and **remove role from managed attributes**. | ||
- | If you deleted groups or moved from IDM scope and you will try provisioning of users with linked role before synchronization of roles, provisioning will not be successful. | + | If you deleted groups or moved from IDM scope and you will try provisioning of users with linked role before synchronization of roles, provisioning will not be successful. |
You will recognize this situation by error mentioned in the note above and also if you will run synchronization of groups, in log of synchronization you will have some items in the state **Missing account**. | You will recognize this situation by error mentioned in the note above and also if you will run synchronization of groups, in log of synchronization you will have some items in the state **Missing account**. | ||
**To correctly remove group and role:** | **To correctly remove group and role:** | ||
- | | + | |
- | * Go to **Account on system** on system for Groups and paste Entity ID into filter. By opening found item, you can see **role** for missing group. | + | |
+ | * Go to **Account on system** | ||
* Make sure that you remove this role from all users. | * Make sure that you remove this role from all users. | ||
* Remove the role from IDM. | * Remove the role from IDM. | ||
* Remove group from AD. | * Remove group from AD. | ||
- | * Go to system for AD User -> Attributes mapping | + | * Go to system for AD User → Attributes mapping |
- | + | ||
- | <note warning> | + | |
- | If you will not perform last step and role was just moved from scope of IDM, because you want to manage this role without IDM -> **IDM will still remove group managed users!** | + | |
- | </ | + | |
- | + | ||
+ | <note warning> If you will not perform last step and role was just moved from scope of IDM, because you want to manage this role without IDM → **IDM will still remove group managed users!** | ||
===== Tips ===== | ===== Tips ===== | ||
Line 171: | Line 168: | ||
- Select an existing group | - Select an existing group | ||
- | - Right click on the group name -> New -> New entry | + | - Right click on the group name → New → New entry |
- Check the "Use existing entry as template" | - Check the "Use existing entry as template" | ||
- | - Object classes: Write " | + | - Object classes: Write " |
- | - Distinguished Name: Set the value of RDN to your choice | + | - Distinguished Name: Set the value of RDN to your choice |
- A warning is displayed - click Cancel | - A warning is displayed - click Cancel | ||
- Set instanceType = 4 | - Set instanceType = 4 | ||
- | - Set sAMAccountName to your choice (right click -> Edit values) | + | - Set sAMAccountName to your choice (right click → Edit values) |
- | - Delete values (right click -> Delete values) of these attributes: | + | - Delete values (right click → Delete values) of these attributes: |
- | - nTSecurityDescriptor | + | - nTSecurityDescriptor |
- | - objectCategory | + | - objectCategory |
- | - member (if you don't want to copy members) | + | - member (if you don't want to copy members) |
- | - sAMAccountType | + | - sAMAccountType |
- | {{: | + | {{.: |
Finally, click Finish | Finally, click Finish | ||