Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:manage_ad [2019/02/27 14:56] fiserp [Distinguished Name (DN), Common Name (CN)] |
tutorial:adm:manage_ad [2019/02/27 15:23] fiserp [Preparing Active Directory] |
||
---|---|---|---|
Line 5: | Line 5: | ||
===== Before you start ===== | ===== Before you start ===== | ||
+ | |||
+ | ==== Adding Active Directory connector ==== | ||
First of all, you need to download the connector from Connid (e.g. [[http:// | First of all, you need to download the connector from Connid (e.g. [[http:// | ||
Then add the jar file into CzechIdM folder inside the application server. In case you installed CzechIdM into tomcat by standard installation, | Then add the jar file into CzechIdM folder inside the application server. In case you installed CzechIdM into tomcat by standard installation, | ||
Line 15: | Line 17: | ||
Then restart the application server. If you had CzechIdM already running in the web browser, refresh also the web browser window (e.g. Ctrl+F5). | Then restart the application server. If you had CzechIdM already running in the web browser, refresh also the web browser window (e.g. Ctrl+F5). | ||
+ | |||
+ | ==== Preparing Active Directory ==== | ||
+ | You must prepare your Active Directory for the CzechIdM integration, | ||
+ | * Enable LDAPS (SSL-protected LDAP protocol) on the AD. This is vital for production deployments. Also, CzechIdM will not manage users' passwords if not connected to AD through LDAPS. | ||
+ | * Create an user account for the CzechIdM. Identity manager will use this account to perform operations on your AD. Although you can use a Domain Administrator account, we highly discourage it. | ||
+ | * This is simply a Domain User account like any other, but you should create it in different subtree than you want to manage through IdM. | ||
+ | * Grant the CzechIdM user permissions on your AD. | ||
+ | |||
+ | === Granting permissions === | ||
+ | Suppose we have a domain '' | ||
+ | |||
+ | * CzechIdM needs to '' | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | Ability to read schema and sufficient AD configuration should be there by default for an authenticated user. Probably no need to adjust it. | ||
+ | |||
+ | * CzechIdM needs '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | Which subtrees you need to grant privileges on depends on the actual directory tree of your Active Directory. | ||
+ | |||
+ | **Granting full control to user** | ||
+ | |||
+ | The process is fairly straightforward. Just repeat it for every root of every subtree you need to grant the rights on. | ||
+ | |||
+ | - Open the '' | ||
+ | - Right-click a container (in our case it was simply marked '' | ||
+ | - Choose '' | ||
+ | - Choose the '' | ||
+ | - Choose '' | ||
+ | - Choose '' | ||
+ | - Tick the '' | ||
+ | - Check the summary and finish the wizard. Changes are effective immediatelly. | ||
+ | - Repeat for other subtrees as necessary. | ||
+ | |||
===== Basic configuration ===== | ===== Basic configuration ===== | ||
Line 150: | Line 190: | ||
You can easily find DN of a user account with the help of **Active Directory Users and Computers** in your Windows server. Open the user's detail and switch to the tab **Attribute Editor**. You can see here the attributes in the same format as IdM sees them. | You can easily find DN of a user account with the help of **Active Directory Users and Computers** in your Windows server. Open the user's detail and switch to the tab **Attribute Editor**. You can see here the attributes in the same format as IdM sees them. | ||
- | < | + | < |
{{ : | {{ : |