Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:manage_ad [2019/02/27 15:23]
fiserp [Preparing Active Directory] 		tutorial:adm:manage_ad [2019/03/19 13:38]
kucerar ssl tip
Line 41: Line 41:
 Which subtrees you need to grant privileges on depends on the actual directory tree of your Active Directory. Which subtrees you need to grant privileges on depends on the actual directory tree of your Active Directory.
  
-**Granting full control to user**+**Granting full control to CzechIdM application user**
  
 The process is fairly straightforward. Just repeat it for every root of every subtree you need to grant the rights on. The process is fairly straightforward. Just repeat it for every root of every subtree you need to grant the rights on.
Line 55: Line 55:
   - Repeat for other subtrees as necessary.   - Repeat for other subtrees as necessary.
  
 +<note important>
 +**CzechIdM has to have access to objects directly referenced from objects you manage.**
  
 +For example:
 +
 +A user is member of some groups, this is noted in his ''member'' attribute. If you want to manage the ''member'' attribute, the CzechIdM also has to have full access to the subtree with user groups.
 +However this requirement is not transitive in groups hierarchy.
 +In AD, you have a ''Groups\Domain Users'' group and every domain user is a member of this group. This means that every domain user has a ''member'' attribute which contains the ''Groups\Domain Users'' group DN.
 +But the ''Groups\Domain Users'' is itself a member of ''Builtin\Users'' group.
 +
 +If you want to manage your users and their group membership, you therefore need to grant full control on ''Users'' (to manage users) and ''Groups'' (because this is where ''Domain Users'' group is) **even if you do not want to manage groups themselves**. This is because of consistency checks performed by CzechIdM upon account provisioning.
 +
 +But you **do not need** to grant anything on ''Builtin'' because this is referenced from an user account only indirectly.
 +</note>
 ===== Basic configuration ===== ===== Basic configuration =====
 Go to **Systems** from main menu, then above list of current systems use Add button. On the first page just fill system name.  Go to **Systems** from main menu, then above list of current systems use Add button. On the first page just fill system name. 
Line 197: Line 210:
  
 {{ :tutorial:adm:ad_user_properties_general.png | CN = Name }} {{ :tutorial:adm:ad_user_properties_general.png | CN = Name }}
 +
 +===== Connection via SSL not working =====
 +If you just imported root certificate to IdM truststore, but SSL connection to AD is still not working try following method to find which server hostname you should use.
 +Configure connection via SSL to AD in Apache Directory Studio during connection you will see this window:
 +{{:tutorial:adm:trust.png?400|}}
 +click on View certificate -> tab General -> field Issued To -> Common name(CN) and use this value as server hostname.
  
 ===== Video Guide ===== ===== Video Guide =====
 [[https://www.youtube.com/watch?v=ZbQCH_BYd-k&list=PLBeAQt3pe3EcdVE8QpCDEJcDsi_jtNQUb&index=7|How to create role for AD group]] - czech language [[https://www.youtube.com/watch?v=ZbQCH_BYd-k&list=PLBeAQt3pe3EcdVE8QpCDEJcDsi_jtNQUb&index=7|How to create role for AD group]] - czech language
  • by neznajf