Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:manage_ad [2021/02/09 19:12]
apeterova removed old info about ConnId - the connector is bundled, reformated some instructions 		tutorial:adm:manage_ad [2021/02/25 08:45]
apeterova extensionAttribute1
Line 77: Line 77:
   * **Server hostname** - hostname of the AD domain controller. (IP address could be used as well, but then it must be stated in the server's certificate Subject Alternative Name)   * **Server hostname** - hostname of the AD domain controller. (IP address could be used as well, but then it must be stated in the server's certificate Subject Alternative Name)
   * **Server port** - typically 636. (389 if not using SSL)   * **Server port** - typically 636. (389 if not using SSL)
-  * **Failover** - an optional list of other domain controllers used in the case that the primary server is not available. Use URL format ''<nowiki>ldaps://123.456.789.012:636</nowiki>''.+  * **Failover** - an optional list of other domain controllers used in the case that the primary server is not available. Use URL format ''<nowiki>ldaps://123.456.789.012:636</nowiki>''. If using multiple values, write each value at a separate line.
   * **Principal** - login@domain of the user with admin privilege that CzechIdM will use for the connection. DN of the user works too.   * **Principal** - login@domain of the user with admin privilege that CzechIdM will use for the connection. DN of the user works too.
   * **Principal password** - password of the administrator user   * **Principal password** - password of the administrator user
Line 91: Line 91:
   * **Uid Attribute** - this is one of the most important option. It defines the primary key/UID of the account. Attribute values will be stored in CzechIdM for each account. Must be unique and should not change. **It is strongly advised to use "sAMAccountName", since connId connector has some problem with returning this specific attribute if mapped by other means.**   * **Uid Attribute** - this is one of the most important option. It defines the primary key/UID of the account. Attribute values will be stored in CzechIdM for each account. Must be unique and should not change. **It is strongly advised to use "sAMAccountName", since connId connector has some problem with returning this specific attribute if mapped by other means.**
   * **Object classes to synchronize** - usually the same as "Entry object classes"   * **Object classes to synchronize** - usually the same as "Entry object classes"
-  * **Specified attributes to be returned** - default "ldapGroups" and "sAMAccountName"+  * **Specified attributes to be returned** - default "ldapGroups" and "sAMAccountName". This option is also used when you need to read attributes from AD, that are not returned by default, a typical example is extensionAttribute1 and other additional attributes.
  
 <note warning>If you are setting this on a Windows server, make sure to delete the 'Specified attributes to be returned' values and write them manually. Otherwise, ldapGroups will not be returned due to some white space problems</note> <note warning>If you are setting this on a Windows server, make sure to delete the 'Specified attributes to be returned' values and write them manually. Otherwise, ldapGroups will not be returned due to some white space problems</note>
Line 111: Line 111:
 If you are connecting AD for the first time, it is a good idea to check some minimal set of attributes that allows you to create an account, which is usually: If you are connecting AD for the first time, it is a good idea to check some minimal set of attributes that allows you to create an account, which is usually:
  
-  * sAMAccountName - this attribute is not sometimes generated by default. If so you must create it manually. Use the button **Add**, fill in the name "sAMAccountName", type "java.lang.String", able to read, update, create and returned by default. +  * sAMAccountName - this attribute is sometimes not generated by default (mainly if it isn't used as Uid). If soyou must create it manually. Use the button **Add**, fill in the name "sAMAccountName", type "java.lang.String", able to read, update, create and returned by default. 
-  * \_\_ENABLE\_\_ - if you want to allow disabling a user in AD. Sometimes this attribute is not generated by default, so you can create it manually. Use the button **Add**, fill in the name "\_\_ENABLE\_\_", type "java.lang.Boolean", able to read, update, create and returned by default. +  * \_\_ENABLE\_\_ - if you want to allow disabling a user in AD. This attribute is not generated by default, so you can create it manually. Use the button **Add**, fill in the name "\_\_ENABLE\_\_", type "java.lang.Boolean", able to read, update, create and returned by default. 
-  * \_\_NAME\_\_ (synonymous to DN, hard-coded in the connector). Use the button **Add**, fill in the name "\_\_NAME\_\_", type "java.lang.String", able to read, update, create and returned by default.+  * \_\_NAME\_\_ (synonymous to DN, hard-coded in the connector). This attribute should be generated by default. If not, use the button **Add**, fill in the name "\_\_NAME\_\_", type "java.lang.String", able to read, update, create and returned by default.
   * \_\_PASSWORD\_\_ - this special attribute is used for setting the passwords for user accounts. User in AD can't be activated when a password is not set. This attribute is not created by default in the schema, so you must add it manually: name "\_\_PASSWORD\_\_", type "eu.bcvsolutions.idm.core.security.api.domain.GuardedString", able to update, create   * \_\_PASSWORD\_\_ - this special attribute is used for setting the passwords for user accounts. User in AD can't be activated when a password is not set. This attribute is not created by default in the schema, so you must add it manually: name "\_\_PASSWORD\_\_", type "eu.bcvsolutions.idm.core.security.api.domain.GuardedString", able to update, create
   * ldapGroups - use this attribute if you want to manage users' group membership. This attribute is not created by default, add it manually: name "ldapGroups", type "java.lang.String", able to read, multivalued, able to create, edit, returned by default   * ldapGroups - use this attribute if you want to manage users' group membership. This attribute is not created by default, add it manually: name "ldapGroups", type "java.lang.String", able to read, multivalued, able to create, edit, returned by default
Line 120: Line 120:
  
 {{ :tutorial:adm:schema_attributes_list.png |}} {{ :tutorial:adm:schema_attributes_list.png |}}
- 
-If you want to set everything by yourself: 
- 
-  * Use button **Add** to create a new scheme. For users, you need to name it "**\_\_ACCOUNT\_\_**", because it is a ConnId constant 
-  * Add all attributes that you want to work with. As a minimum, the "**\_\_NAME\_\_**" and "**sAMAccountName**" attributes should be mapped. 
-  * Set all attributes as **Able to read, update, create**.  
  
 <note tip>It is possible you will not see the full scheme even with root suffix set to the top container. In that case, check that schemas are not stored separately and if they are, set root suffixes to the appropriate DC.</note> <note tip>It is possible you will not see the full scheme even with root suffix set to the top container. In that case, check that schemas are not stored separately and if they are, set root suffixes to the appropriate DC.</note>
Line 221: Line 215:
  
 If you are running on a Windows server, the 'ldapGroups' in 'Specified attributes to be returned' has the wrong value 'ldapGroups\r' (this is only visible in Audit). The solution is to remove the value in 'Specified attributes to be returned' and write it again manually. If you are running on a Windows server, the 'ldapGroups' in 'Specified attributes to be returned' has the wrong value 'ldapGroups\r' (this is only visible in Audit). The solution is to remove the value in 'Specified attributes to be returned' and write it again manually.
 +
 +===== Mapping extensionAttributes =====
 +
 +AD enables additional attributes named extensionAttribute1 - extensionAttribute10. If you want to fill these attributes by IdM, you must do following steps in the configuration of the connected system:
 +  * Go to **Configuration** -> **Specified attributes to be returned (multi)**, add **extensionAttribute1** to a new line under existing values.
 +  * Go to **Scheme** -> **\_\_ACCOUNT\_\_** -> use the button **Add**, fill in the name **extensionAttribute1**, type "java.lang.String", select able to read, update, create and returned by default.
 +  * Go to **Mapping** -> **Provisioning mapping** -> use the button **Add** and map the attribute according to your choice. The following example can be used when you want to fill the extensionAttribute1 by personal numbers of identities
 +    * Attribute in schema - extensionAttribute1
 +    * Name - extensionAttribute1
 +    * Entity attribute - true
 +    * Entity field - Personal number
  
 ===== Connection via SSL not working ===== ===== Connection via SSL not working =====
Line 230: Line 235:
 ===== LdapErr: DSID-0C0907C5 ===== ===== LdapErr: DSID-0C0907C5 =====
 If you see this error when reconciliating AD groups: If you see this error when reconciliating AD groups:
-<code>org.identityconnectors.framework.common.exceptions.ConnectorException: javax.naming.OperationNotSupportedException: [LDAP: error code 12 - 00000057: LdapErr: DSID-0C0907C5, comment: Error processing control, data 0, v1db1]; remaining name 'OU=BohemiaEnergy,DC=bohemiaenergy,DC=local'</code>+<code>org.identityconnectors.framework.common.exceptions.ConnectorException: javax.naming.OperationNotSupportedException: [LDAP: error code 12 - 00000057: LdapErr: DSID-0C0907C5, comment: Error processing control, data 0, v1db1]; remaining name 'OU=company,DC=domain,DC=tld'</code>
  
 the likely cause is that some groups have many members. AD has a property MaxPageSize which is probably set to lower than necessary (default is 1000). Increasing the value to an arbitrary large number (30000) helped in our case but only AD admin can change this. the likely cause is that some groups have many members. AD has a property MaxPageSize which is probably set to lower than necessary (default is 1000). Increasing the value to an arbitrary large number (30000) helped in our case but only AD admin can change this.
Line 251: Line 256:
 Please note that this property is not used in the case that the primary server is accessible on the given port, but there is some other problem with the communication (e.g. the credentials are incorrect).  Please note that this property is not used in the case that the primary server is accessible on the given port, but there is some other problem with the communication (e.g. the credentials are incorrect). 
  
-The value of this property must be a proper URL, e.g. ''<nowiki>ldaps://some.hostname:636</nowiki>''.+The value of this property must be a proper URL, e.g. ''<nowiki>ldaps://some.hostname:636</nowiki>''. If using multiple values, write each value at a separate line.
  
 ===== Video Guide ===== ===== Video Guide =====
 [[https://www.youtube.com/watch?v=ZbQCH_BYd-k&list=PLBeAQt3pe3EcdVE8QpCDEJcDsi_jtNQUb&index=7|How to create role for AD group]] - czech language [[https://www.youtube.com/watch?v=ZbQCH_BYd-k&list=PLBeAQt3pe3EcdVE8QpCDEJcDsi_jtNQUb&index=7|How to create role for AD group]] - czech language
  • by neznajf