Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:manage_ad [2019/02/27 15:39] fiserp [Preparing Active Directory] |
tutorial:adm:manage_ad [2019/11/20 12:16] doischert [Distinguished Name (DN), Common Name (CN)] |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Systems - AD: Manage users ====== | ====== Systems - AD: Manage users ====== | ||
+ | <note warning> | ||
===== Introduction ===== | ===== Introduction ===== | ||
Line 7: | Line 8: | ||
==== Adding Active Directory connector ==== | ==== Adding Active Directory connector ==== | ||
+ | |||
First of all, you need to download the connector from Connid (e.g. [[http:// | First of all, you need to download the connector from Connid (e.g. [[http:// | ||
Then add the jar file into CzechIdM folder inside the application server. In case you installed CzechIdM into tomcat by standard installation, | Then add the jar file into CzechIdM folder inside the application server. In case you installed CzechIdM into tomcat by standard installation, | ||
Line 88: | Line 90: | ||
* **Root suffixes** - the list distinguished names of the roots that connector uses for managing users. If you do not want to manage some account, it is advised not to include them in the Root suffixes. When you configure the system for the first time, root suffix should lead to the top container (e.g. DC=aktest, | * **Root suffixes** - the list distinguished names of the roots that connector uses for managing users. If you do not want to manage some account, it is advised not to include them in the Root suffixes. When you configure the system for the first time, root suffix should lead to the top container (e.g. DC=aktest, | ||
* **User search scope** - manage users in specified container or subtrees. Usually subtree | * **User search scope** - manage users in specified container or subtrees. Usually subtree | ||
- | * **Entry object classes** - only objects (accounts) with object classes specified there will be managed. Each object class on new line, no comma or another separator. Usual values: top, person, organizationalPerson, | + | * **Entry object classes** - only objects (accounts) with object classes specified there will be managed. Each object class on new line, no comma or another separator. Usual values: top, person, organizationalPerson, |
+ | * **Base contexts for group entry searches** - container in AD where the groups are located. If the groups are in different container then people and the group container is not under the path which is in "Root suffixes" | ||
* **Base contexts for user entry searches** - usually the same as "Root suffixes" | * **Base contexts for user entry searches** - usually the same as "Root suffixes" | ||
* **Group members reference attribute** - usually " | * **Group members reference attribute** - usually " | ||
- | * **pageSize** - this option is only available if you use connector that is customizes by BCV Solutions. | + | * **pageSize** - this option is only available if you use connector that is customizes by BCV Solutions. |
* **Uid Attribute** - this is one of the most important option. It defines the primary key/UID of the account. Attribute values will be stored in CzechIdM for each account. Must be unique and should not change. **It is strongly advised to use " | * **Uid Attribute** - this is one of the most important option. It defines the primary key/UID of the account. Attribute values will be stored in CzechIdM for each account. Must be unique and should not change. **It is strongly advised to use " | ||
* **Object classes to synchronize** - usually the same as "Entry object classes" | * **Object classes to synchronize** - usually the same as "Entry object classes" | ||
+ | * **Specified attributes to be returned** - default " | ||
+ | |||
+ | <note warning> | ||
<note important> | <note important> | ||
Line 123: | Line 129: | ||
* Add all attributes that you want to work with. As a minimum, the " | * Add all attributes that you want to work with. As a minimum, the " | ||
* Set all attributes as **Able to read, update, create**. | * Set all attributes as **Able to read, update, create**. | ||
+ | |||
+ | <note tip>It is possible you will not see the full scheme even with root suffix set to the top container. In that case, check that schemas are not stored separately and if they are, set root suffixes to the appropriate DC.</ | ||
+ | |||
+ | <note warning> | ||
+ | If you want to use the workflow for groups synchronization, | ||
===== Mapping ===== | ===== Mapping ===== | ||
Line 210: | Line 221: | ||
{{ : | {{ : | ||
+ | |||
+ | ===== ldapGroups not returned ===== | ||
+ | |||
+ | If you are running on a Windows server, the ' | ||
+ | ===== Connection via SSL not working ===== | ||
+ | If you just imported root certificate to IdM truststore, but SSL connection to AD is still not working try following method to find which server hostname you should use. | ||
+ | Configure connection via SSL to AD in Apache Directory Studio during connection you will see this window: | ||
+ | {{: | ||
+ | click on View certificate -> tab General -> field Issued To -> Common name(CN) and use this value as server hostname. | ||
===== Video Guide ===== | ===== Video Guide ===== | ||
[[https:// | [[https:// |