Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:manage_ad [2019/02/27 14:57] fiserp [Distinguished Name (DN), Common Name (CN)] |
tutorial:adm:manage_ad [2019/04/04 08:13] kucerar [Connector configuration] base context for groups |
||
---|---|---|---|
Line 5: | Line 5: | ||
===== Before you start ===== | ===== Before you start ===== | ||
+ | |||
+ | ==== Adding Active Directory connector ==== | ||
First of all, you need to download the connector from Connid (e.g. [[http:// | First of all, you need to download the connector from Connid (e.g. [[http:// | ||
Then add the jar file into CzechIdM folder inside the application server. In case you installed CzechIdM into tomcat by standard installation, | Then add the jar file into CzechIdM folder inside the application server. In case you installed CzechIdM into tomcat by standard installation, | ||
Line 16: | Line 18: | ||
Then restart the application server. If you had CzechIdM already running in the web browser, refresh also the web browser window (e.g. Ctrl+F5). | Then restart the application server. If you had CzechIdM already running in the web browser, refresh also the web browser window (e.g. Ctrl+F5). | ||
+ | ==== Preparing Active Directory ==== | ||
+ | You must prepare your Active Directory for the CzechIdM integration, | ||
+ | * Enable LDAPS (SSL-protected LDAP protocol) on the AD. This is vital for production deployments. Also, CzechIdM will not manage users' passwords if not connected to AD through LDAPS. | ||
+ | * Create an user account for the CzechIdM. Identity manager will use this account to perform operations on your AD. Although you can use a Domain Administrator account, we highly discourage it. | ||
+ | * This is simply a Domain User account like any other, but you should create it in different subtree than you want to manage through IdM. | ||
+ | * Grant the CzechIdM user permissions on your AD. | ||
+ | |||
+ | === Granting permissions === | ||
+ | Suppose we have a domain '' | ||
+ | |||
+ | * CzechIdM needs to '' | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | Ability to read schema and sufficient AD configuration should be there by default for an authenticated user. Probably no need to adjust it. | ||
+ | |||
+ | * CzechIdM needs '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | Which subtrees you need to grant privileges on depends on the actual directory tree of your Active Directory. | ||
+ | |||
+ | **Granting full control to CzechIdM application user** | ||
+ | |||
+ | The process is fairly straightforward. Just repeat it for every root of every subtree you need to grant the rights on. | ||
+ | |||
+ | - Open the '' | ||
+ | - Right-click a container (in our case it was simply marked '' | ||
+ | - Choose '' | ||
+ | - Choose the '' | ||
+ | - Choose '' | ||
+ | - Choose '' | ||
+ | - Tick the '' | ||
+ | - Check the summary and finish the wizard. Changes are effective immediatelly. | ||
+ | - Repeat for other subtrees as necessary. | ||
+ | |||
+ | <note important> | ||
+ | **CzechIdM has to have access to objects directly referenced from objects you manage.** | ||
+ | |||
+ | For example: | ||
+ | |||
+ | A user is member of some groups, this is noted in his '' | ||
+ | However this requirement is not transitive in groups hierarchy. | ||
+ | In AD, you have a '' | ||
+ | But the '' | ||
+ | |||
+ | If you want to manage your users and their group membership, you therefore need to grant full control on '' | ||
+ | |||
+ | But you **do not need** to grant anything on '' | ||
+ | </ | ||
===== Basic configuration ===== | ===== Basic configuration ===== | ||
Go to **Systems** from main menu, then above list of current systems use Add button. On the first page just fill system name. | Go to **Systems** from main menu, then above list of current systems use Add button. On the first page just fill system name. | ||
Line 36: | Line 89: | ||
* **User search scope** - manage users in specified container or subtrees. Usually subtree | * **User search scope** - manage users in specified container or subtrees. Usually subtree | ||
* **Entry object classes** - only objects (accounts) with object classes specified there will be managed. Each object class on new line, no comma or another separator. Usual values: top, person, organizationalPerson, | * **Entry object classes** - only objects (accounts) with object classes specified there will be managed. Each object class on new line, no comma or another separator. Usual values: top, person, organizationalPerson, | ||
+ | * **Base contexts for group entry searches** - container in AD where the groups are located. If the groups are in different container then people and the group container is not under the path which is in "Root suffixes" | ||
* **Base contexts for user entry searches** - usually the same as "Root suffixes" | * **Base contexts for user entry searches** - usually the same as "Root suffixes" | ||
* **Group members reference attribute** - usually " | * **Group members reference attribute** - usually " | ||
Line 157: | Line 211: | ||
{{ : | {{ : | ||
+ | |||
+ | ===== Connection via SSL not working ===== | ||
+ | If you just imported root certificate to IdM truststore, but SSL connection to AD is still not working try following method to find which server hostname you should use. | ||
+ | Configure connection via SSL to AD in Apache Directory Studio during connection you will see this window: | ||
+ | {{: | ||
+ | click on View certificate -> tab General -> field Issued To -> Common name(CN) and use this value as server hostname. | ||
===== Video Guide ===== | ===== Video Guide ===== | ||
[[https:// | [[https:// |