Differences

This shows you the differences between two versions of the page.

--- tutorial:adm:manage_ad [2019/02/27 14:57]
fiserp [Distinguished Name (DN), Common Name (CN)]
+++ tutorial:adm:manage_ad [2019/02/27 15:23]
fiserp [Preparing Active Directory]
@@ Line 5: / Line 5: @@
 ===== Before you start =====
+==== Adding Active Directory connector ====
 First of all, you need to download the connector from Connid (e.g. [[http://repo1.maven.org/maven2/net/tirasa/connid/bundles/net.tirasa.connid.bundles.ad/1.3.4/net.tirasa.connid.bundles.ad-1.3.4.jar| Connid AD bundle 1.3.4 jar file]]).
 Then add the jar file into CzechIdM folder inside the application server. In case you installed CzechIdM into tomcat by standard installation, the path would be ''/opt/tomcat/current/webapps/idm/WEB-INF/lib/''.
@@ Line 15: / Line 17: @@
 Then restart the application server. If you had CzechIdM already running in the web browser, refresh also the web browser window (e.g. Ctrl+F5).
+==== Preparing Active Directory ====
+You must prepare your Active Directory for the CzechIdM integration, mainly:
+  * Enable LDAPS (SSL-protected LDAP protocol) on the AD. This is vital for production deployments. Also, CzechIdM will not manage users' passwords if not connected to AD through LDAPS.
+  * Create an user account for the CzechIdM. Identity manager will use this account to perform operations on your AD. Although you can use a Domain Administrator account, we highly discourage it.
+    * This is simply a Domain User account like any other, but you should create it in different subtree than you want to manage through IdM.
+  * Grant the CzechIdM user permissions on your AD.
+=== Granting permissions ===
+Suppose we have a domain ''PISKOVISTE.BCV'' with corresponding domain components ''DC=piskoviste,DC=bcv'' and the IdM application user is ''CzechIdM (czechidm@piskoviste.bcv)''.
+  * CzechIdM needs to ''read'' AD configuration and schema subtrees. In our case:
+    * ''CN=Configuration,DC=piskoviste,DC=bcv''
+    * ''CN=Schema,CN=Configuration,DC=piskoviste,DC=bcv''
+Ability to read schema and sufficient AD configuration should be there by default for an authenticated user. Probably no need to adjust it.
+  * CzechIdM needs ''full control'' on subtrees which it will manage. Suppose we need to manage users, groups and computers and that we have a fairly simple setup. We grant full control to those subtrees:
+    * ''CN=Computers,DC=piskoviste,DC=bcv''
+    * ''CN=Users,DC=piskoviste,DC=bcv''
+    * ''OU=Groups,DC=piskoviste,DC=bcv''
+Which subtrees you need to grant privileges on depends on the actual directory tree of your Active Directory.
+**Granting full control to user**
+The process is fairly straightforward. Just repeat it for every root of every subtree you need to grant the rights on.
+  - Open the ''Active Directory Users and Computers''.
+  - Right-click a container (in our case it was simply marked ''Users'').
+  - Choose ''Delegate Control''.
+  - Choose the ''CzechIdM (czechidm@piskoviste.bcv)'' user.
+  - Choose ''Create a custom task to delegate''.
+  - Choose ''This folder, existing objects in this folder, and creation of new objects in this folder''.
+  - Tick the ''Full Control'' checkbox. This will tick all possible checkboxes in the dialog window.
+  - Check the summary and finish the wizard. Changes are effective immediatelly.
+  - Repeat for other subtrees as necessary.
 ===== Basic configuration =====