Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:manage_ad [2019/10/18 09:19] doischert |
tutorial:adm:manage_ad [2020/08/13 11:22] apeterova special characters |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Systems - AD: Manage users ====== | ====== Systems - AD: Manage users ====== | ||
- | <note warning> | ||
===== Introduction ===== | ===== Introduction ===== | ||
- | This tutorial will show you how to connect AD as a target system for users (their accounts) from CzechIdM. We will use an AD bundle connector from Connid. | + | This tutorial will show you how to connect AD as a target system for users (their accounts) from CzechIdM. We will use an AD bundle connector from ConnId. |
===== Before you start ===== | ===== Before you start ===== | ||
==== Adding Active Directory connector ==== | ==== Adding Active Directory connector ==== | ||
+ | |||
+ | <note warning> | ||
First of all, you need to download the connector from Connid (e.g. [[http:// | First of all, you need to download the connector from Connid (e.g. [[http:// | ||
Line 86: | Line 87: | ||
* **Server hostname** - hostname or IP | * **Server hostname** - hostname or IP | ||
* **Server port** - usually 389 or 636 | * **Server port** - usually 389 or 636 | ||
+ | * **Failover** - an optional list of other domain controllers used in the case that the primary server is not available. Use URL format ''< | ||
* **Principal** - login of the user with admin privilege that CzechIdM will use for the connection. DN of the user should work too. | * **Principal** - login of the user with admin privilege that CzechIdM will use for the connection. DN of the user should work too. | ||
* **Principal password** - password of the administrator user | * **Principal password** - password of the administrator user | ||
Line 94: | Line 96: | ||
* **Base contexts for user entry searches** - usually the same as "Root suffixes" | * **Base contexts for user entry searches** - usually the same as "Root suffixes" | ||
* **Group members reference attribute** - usually " | * **Group members reference attribute** - usually " | ||
- | * **pageSize** - this option is only available if you use connector that is customizes by BCV Solutions. | + | * **pageSize** - this option is only available if you use connector that is customizes by BCV Solutions. |
* **Uid Attribute** - this is one of the most important option. It defines the primary key/UID of the account. Attribute values will be stored in CzechIdM for each account. Must be unique and should not change. **It is strongly advised to use " | * **Uid Attribute** - this is one of the most important option. It defines the primary key/UID of the account. Attribute values will be stored in CzechIdM for each account. Must be unique and should not change. **It is strongly advised to use " | ||
* **Object classes to synchronize** - usually the same as "Entry object classes" | * **Object classes to synchronize** - usually the same as "Entry object classes" | ||
+ | * **Specified attributes to be returned** - default " | ||
- | <note important> | + | <note warning> |
+ | |||
+ | <note important> | ||
+ | ];" error</ | ||
<note important> | <note important> | ||
Line 126: | Line 132: | ||
* Add all attributes that you want to work with. As a minimum, the " | * Add all attributes that you want to work with. As a minimum, the " | ||
* Set all attributes as **Able to read, update, create**. | * Set all attributes as **Able to read, update, create**. | ||
+ | |||
+ | <note tip>It is possible you will not see the full scheme even with root suffix set to the top container. In that case, check that schemas are not stored separately and if they are, set root suffixes to the appropriate DC.</ | ||
+ | |||
+ | <note warning> | ||
+ | If you want to use the workflow for groups synchronization, | ||
===== Mapping ===== | ===== Mapping ===== | ||
Line 197: | Line 208: | ||
Thus every user that has the role assigned is added to the group with provided DN via ldapGroups attribute. | Thus every user that has the role assigned is added to the group with provided DN via ldapGroups attribute. | ||
+ | |||
+ | For managing group membership in multi domain AD environment follow [[tutorial: | ||
<note important> | <note important> | ||
Line 213: | Line 226: | ||
{{ : | {{ : | ||
+ | |||
+ | ===== ldapGroups not returned ===== | ||
+ | |||
+ | If you are running on a Windows server, the ' | ||
===== Connection via SSL not working ===== | ===== Connection via SSL not working ===== | ||
Line 219: | Line 236: | ||
{{: | {{: | ||
click on View certificate -> tab General -> field Issued To -> Common name(CN) and use this value as server hostname. | click on View certificate -> tab General -> field Issued To -> Common name(CN) and use this value as server hostname. | ||
+ | |||
+ | ===== LdapErr: DSID-0C0907C5 ===== | ||
+ | If you see this error when reconciliating AD groups: | ||
+ | < | ||
+ | |||
+ | the likely cause is that some groups have many members. AD has a property MaxPageSize which is probably set to lower than necessary (default is 1000). Increasing the value to an arbitrary large number (30000) helped in our case but only AD admin can change this. | ||
+ | |||
+ | ===== SvcErr: DSID-031007E5 - unsupported special characters in DN ===== | ||
+ | |||
+ | The AD connector doesn' | ||
+ | < | ||
+ | javax.naming.NamingException: | ||
+ | </ | ||
+ | |||
+ | Please rename your containers so they don't contain special characters. | ||
+ | |||
+ | See more about this known issue here: https:// | ||
+ | |||
+ | ===== Failover ===== | ||
+ | |||
+ | The configuration property Failover is used when the primary server (configured in the Server hostname) is unavailable. The attribute contains a list of AD servers that connector can use. | ||
+ | |||
+ | Please note that this property is not used in the case that the primary server is accessible on the given port, but there is some other problem with the communication (e.g. the credentials are incorrect). | ||
+ | |||
+ | The value of this property must be a proper URL, e.g. ''< | ||
===== Video Guide ===== | ===== Video Guide ===== | ||
[[https:// | [[https:// |