Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision Both sides next revision
tutorial:adm:manage_ad [2019/02/27 14:58]
fiserp [Before you start] 		tutorial:adm:manage_ad [2019/02/27 15:23]
fiserp [Preparing Active Directory]
Line 19: Line 19:
  
 ==== Preparing Active Directory ==== ==== Preparing Active Directory ====
 +You must prepare your Active Directory for the CzechIdM integration, mainly:
 +  * Enable LDAPS (SSL-protected LDAP protocol) on the AD. This is vital for production deployments. Also, CzechIdM will not manage users' passwords if not connected to AD through LDAPS.
 +  * Create an user account for the CzechIdM. Identity manager will use this account to perform operations on your AD. Although you can use a Domain Administrator account, we highly discourage it.
 +    * This is simply a Domain User account like any other, but you should create it in different subtree than you want to manage through IdM.
 +  * Grant the CzechIdM user permissions on your AD.
 +
 +=== Granting permissions ===
 +Suppose we have a domain ''PISKOVISTE.BCV'' with corresponding domain components ''DC=piskoviste,DC=bcv'' and the IdM application user is ''CzechIdM (czechidm@piskoviste.bcv)''.
 +
 +  * CzechIdM needs to ''read'' AD configuration and schema subtrees. In our case:
 +    * ''CN=Configuration,DC=piskoviste,DC=bcv''
 +    * ''CN=Schema,CN=Configuration,DC=piskoviste,DC=bcv''
 +
 +Ability to read schema and sufficient AD configuration should be there by default for an authenticated user. Probably no need to adjust it.
 +
 +  * CzechIdM needs ''full control'' on subtrees which it will manage. Suppose we need to manage users, groups and computers and that we have a fairly simple setup. We grant full control to those subtrees:
 +    * ''CN=Computers,DC=piskoviste,DC=bcv''
 +    * ''CN=Users,DC=piskoviste,DC=bcv''
 +    * ''OU=Groups,DC=piskoviste,DC=bcv''
 +
 +Which subtrees you need to grant privileges on depends on the actual directory tree of your Active Directory.
 +
 +**Granting full control to user**
 +
 +The process is fairly straightforward. Just repeat it for every root of every subtree you need to grant the rights on.
 +
 +  - Open the ''Active Directory Users and Computers''.
 +  - Right-click a container (in our case it was simply marked ''Users'').
 +  - Choose ''Delegate Control''.
 +  - Choose the ''CzechIdM (czechidm@piskoviste.bcv)'' user.
 +  - Choose ''Create a custom task to delegate''.
 +  - Choose ''This folder, existing objects in this folder, and creation of new objects in this folder''.
 +  - Tick the ''Full Control'' checkbox. This will tick all possible checkboxes in the dialog window.
 +  - Check the summary and finish the wizard. Changes are effective immediatelly.
 +  - Repeat for other subtrees as necessary.
 +
  
 ===== Basic configuration ===== ===== Basic configuration =====
  • by neznajf