Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:manage_ad [2019/02/27 14:57] fiserp [Distinguished Name (DN), Common Name (CN)] |
tutorial:adm:manage_ad [2019/02/27 15:39] fiserp [Preparing Active Directory] |
||
---|---|---|---|
Line 5: | Line 5: | ||
===== Before you start ===== | ===== Before you start ===== | ||
+ | |||
+ | ==== Adding Active Directory connector ==== | ||
First of all, you need to download the connector from Connid (e.g. [[http:// | First of all, you need to download the connector from Connid (e.g. [[http:// | ||
Then add the jar file into CzechIdM folder inside the application server. In case you installed CzechIdM into tomcat by standard installation, | Then add the jar file into CzechIdM folder inside the application server. In case you installed CzechIdM into tomcat by standard installation, | ||
Line 16: | Line 18: | ||
Then restart the application server. If you had CzechIdM already running in the web browser, refresh also the web browser window (e.g. Ctrl+F5). | Then restart the application server. If you had CzechIdM already running in the web browser, refresh also the web browser window (e.g. Ctrl+F5). | ||
+ | ==== Preparing Active Directory ==== | ||
+ | You must prepare your Active Directory for the CzechIdM integration, | ||
+ | * Enable LDAPS (SSL-protected LDAP protocol) on the AD. This is vital for production deployments. Also, CzechIdM will not manage users' passwords if not connected to AD through LDAPS. | ||
+ | * Create an user account for the CzechIdM. Identity manager will use this account to perform operations on your AD. Although you can use a Domain Administrator account, we highly discourage it. | ||
+ | * This is simply a Domain User account like any other, but you should create it in different subtree than you want to manage through IdM. | ||
+ | * Grant the CzechIdM user permissions on your AD. | ||
+ | |||
+ | === Granting permissions === | ||
+ | Suppose we have a domain '' | ||
+ | |||
+ | * CzechIdM needs to '' | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | Ability to read schema and sufficient AD configuration should be there by default for an authenticated user. Probably no need to adjust it. | ||
+ | |||
+ | * CzechIdM needs '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | Which subtrees you need to grant privileges on depends on the actual directory tree of your Active Directory. | ||
+ | |||
+ | **Granting full control to CzechIdM application user** | ||
+ | |||
+ | The process is fairly straightforward. Just repeat it for every root of every subtree you need to grant the rights on. | ||
+ | |||
+ | - Open the '' | ||
+ | - Right-click a container (in our case it was simply marked '' | ||
+ | - Choose '' | ||
+ | - Choose the '' | ||
+ | - Choose '' | ||
+ | - Choose '' | ||
+ | - Tick the '' | ||
+ | - Check the summary and finish the wizard. Changes are effective immediatelly. | ||
+ | - Repeat for other subtrees as necessary. | ||
+ | |||
+ | <note important> | ||
+ | **CzechIdM has to have access to objects directly referenced from objects you manage.** | ||
+ | |||
+ | For example: | ||
+ | |||
+ | A user is member of some groups, this is noted in his '' | ||
+ | However this requirement is not transitive in groups hierarchy. | ||
+ | In AD, you have a '' | ||
+ | But the '' | ||
+ | |||
+ | If you want to manage your users and their group membership, you therefore need to grant full control on '' | ||
+ | |||
+ | But you **do not need** to grant anything on '' | ||
+ | </ | ||
===== Basic configuration ===== | ===== Basic configuration ===== | ||
Go to **Systems** from main menu, then above list of current systems use Add button. On the first page just fill system name. | Go to **Systems** from main menu, then above list of current systems use Add button. On the first page just fill system name. |