Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:manage_ad [2021/02/09 19:12] apeterova removed old info about ConnId - the connector is bundled, reformated some instructions |
tutorial:adm:manage_ad [2021/06/24 14:46] soval [Password mapping] |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Systems - AD: Manage users ====== | ====== Systems - AD: Manage users ====== | ||
- | |||
===== Introduction ===== | ===== Introduction ===== | ||
This tutorial will show you how to connect AD as a target system for users (their accounts) from CzechIdM. We will use an AD bundle connector from ConnId. | This tutorial will show you how to connect AD as a target system for users (their accounts) from CzechIdM. We will use an AD bundle connector from ConnId. | ||
+ | |||
+ | You can as well use [[tutorial: | ||
===== Before you start ===== | ===== Before you start ===== | ||
- | |||
==== Adding Active Directory connector ==== | ==== Adding Active Directory connector ==== | ||
- | |||
Since CzechIdM 9.2, the [[https:// | Since CzechIdM 9.2, the [[https:// | ||
Line 77: | Line 76: | ||
* **Server hostname** - hostname of the AD domain controller. (IP address could be used as well, but then it must be stated in the server' | * **Server hostname** - hostname of the AD domain controller. (IP address could be used as well, but then it must be stated in the server' | ||
* **Server port** - typically 636. (389 if not using SSL) | * **Server port** - typically 636. (389 if not using SSL) | ||
- | * **Failover** - an optional list of other domain controllers used in the case that the primary server is not available. Use URL format ''< | + | * **Failover** - an optional list of other domain controllers used in the case that the primary server is not available. Use URL format ''< |
* **Principal** - login@domain of the user with admin privilege that CzechIdM will use for the connection. DN of the user works too. | * **Principal** - login@domain of the user with admin privilege that CzechIdM will use for the connection. DN of the user works too. | ||
* **Principal password** - password of the administrator user | * **Principal password** - password of the administrator user | ||
Line 91: | Line 90: | ||
* **Uid Attribute** - this is one of the most important option. It defines the primary key/UID of the account. Attribute values will be stored in CzechIdM for each account. Must be unique and should not change. **It is strongly advised to use " | * **Uid Attribute** - this is one of the most important option. It defines the primary key/UID of the account. Attribute values will be stored in CzechIdM for each account. Must be unique and should not change. **It is strongly advised to use " | ||
* **Object classes to synchronize** - usually the same as "Entry object classes" | * **Object classes to synchronize** - usually the same as "Entry object classes" | ||
- | * **Specified attributes to be returned** - default " | + | * **Specified attributes to be returned** - default " |
<note warning> | <note warning> | ||
Line 111: | Line 110: | ||
If you are connecting AD for the first time, it is a good idea to check some minimal set of attributes that allows you to create an account, which is usually: | If you are connecting AD for the first time, it is a good idea to check some minimal set of attributes that allows you to create an account, which is usually: | ||
- | * sAMAccountName - this attribute is not sometimes generated by default. If so you must create it manually. Use the button **Add**, fill in the name " | + | * sAMAccountName - this attribute is sometimes |
- | * \_\_ENABLE\_\_ - if you want to allow disabling a user in AD. Sometimes this attribute is not generated by default, so you can create it manually. Use the button **Add**, fill in the name " | + | * \_\_ENABLE\_\_ - if you want to allow disabling a user in AD. This attribute is not generated by default, so you can create it manually. Use the button **Add**, fill in the name " |
- | * \_\_NAME\_\_ (synonymous to DN, hard-coded in the connector). | + | * \_\_NAME\_\_ (synonymous to DN, hard-coded in the connector). |
* \_\_PASSWORD\_\_ - this special attribute is used for setting the passwords for user accounts. User in AD can't be activated when a password is not set. This attribute is not created by default in the schema, so you must add it manually: name " | * \_\_PASSWORD\_\_ - this special attribute is used for setting the passwords for user accounts. User in AD can't be activated when a password is not set. This attribute is not created by default in the schema, so you must add it manually: name " | ||
* ldapGroups - use this attribute if you want to manage users' group membership. This attribute is not created by default, add it manually: name " | * ldapGroups - use this attribute if you want to manage users' group membership. This attribute is not created by default, add it manually: name " | ||
Line 120: | Line 119: | ||
{{ : | {{ : | ||
- | |||
- | If you want to set everything by yourself: | ||
- | |||
- | * Use button **Add** to create a new scheme. For users, you need to name it " | ||
- | * Add all attributes that you want to work with. As a minimum, the " | ||
- | * Set all attributes as **Able to read, update, create**. | ||
<note tip>It is possible you will not see the full scheme even with root suffix set to the top container. In that case, check that schemas are not stored separately and if they are, set root suffixes to the appropriate DC.</ | <note tip>It is possible you will not see the full scheme even with root suffix set to the top container. In that case, check that schemas are not stored separately and if they are, set root suffixes to the appropriate DC.</ | ||
Line 171: | Line 164: | ||
* Entity attribute - false | * Entity attribute - false | ||
* Attribute with password - true | * Attribute with password - true | ||
+ | |||
+ | ==== Forced password change ==== | ||
+ | When mapping AD attributes, it is sometimes useful to be able to set a forced password change option. | ||
+ | |||
+ | This requirement is often set for two different cases: | ||
+ | |||
+ | * We need to change the password when logging into AD **for a new user account** | ||
+ | * We need to force a password change but **only after a password reset** | ||
+ | |||
+ | 1/ To force a password change for newly created users, map the **" | ||
+ | |||
+ | |||
+ | 2/ If we need to force password change every time password is reset, map attribute pwdLastSet too, but **with checkbox " | ||
Line 184: | Line 190: | ||
From now on, every time user gets the role, it is provisioned into the connected system AD. You can see that on users detail menu tab " | From now on, every time user gets the role, it is provisioned into the connected system AD. You can see that on users detail menu tab " | ||
+ | |||
+ | <note important> | ||
Line 194: | Line 202: | ||
* **Group members reference attribute** - usually **member**. This represents the name of the attribute in AD that is present in Group. Its value is usually a DN of the user in the group. | * **Group members reference attribute** - usually **member**. This represents the name of the attribute in AD that is present in Group. Its value is usually a DN of the user in the group. | ||
- | Then continue to AD - users Mappings and edit provisioning mapping. Add there a **ldapGroups** attribute. It is not filled from any identity attribute and has no transformation. (It will be filled from the role). Since the attribute is multivalued, | + | Then continue to AD - users Mappings and edit provisioning mapping. Add there a **ldapGroups** attribute. It is not filled from any identity attribute and has no transformation. (It will be filled from the role). Since the attribute is multivalued, |
- | Get back to your role CRM basic user. In the tab **Systems** add a system **AD - users and roles**, save it. Then add an attribute that will be filled by this role - **ldapGroups**. Again choose the filling strategy **MERGE or AUTH.MERGE**. Then **add a transformation** that is the value of DN of the group in AD ' " ' sign on each side of the text. | + | Get back to your role CRM basic user. In the tab **Systems** add a system **AD - users and roles**, save it. Then add an attribute that will be filled by this role - **ldapGroups**. Again choose the filling strategy **MERGE** (or AUTH.MERGE, make sure to use the same as in the provisioning mapping). Then **add a transformation** that is the value of DN of the group in AD ' " ' sign on each side of the text. |
Thus every user that has the role assigned is added to the group with provided DN via ldapGroups attribute. | Thus every user that has the role assigned is added to the group with provided DN via ldapGroups attribute. | ||
Line 221: | Line 229: | ||
If you are running on a Windows server, the ' | If you are running on a Windows server, the ' | ||
+ | |||
+ | ===== Mapping extensionAttributes ===== | ||
+ | |||
+ | AD enables additional attributes named extensionAttribute1 - extensionAttribute10. If you want to fill these attributes by IdM, you must do following steps in the configuration of the connected system: | ||
+ | * Go to **Configuration** -> **Specified attributes to be returned (multi)**, add **extensionAttribute1** to a new line under existing values. | ||
+ | * Go to **Scheme** -> **\_\_ACCOUNT\_\_** -> use the button **Add**, fill in the name **extensionAttribute1**, | ||
+ | * Go to **Mapping** -> **Provisioning mapping** -> use the button **Add** and map the attribute according to your choice. The following example can be used when you want to fill the extensionAttribute1 by personal numbers of identities | ||
+ | * Attribute in schema - extensionAttribute1 | ||
+ | * Name - extensionAttribute1 | ||
+ | * Entity attribute - true | ||
+ | * Entity field - Personal number | ||
===== Connection via SSL not working ===== | ===== Connection via SSL not working ===== | ||
Line 230: | Line 249: | ||
===== LdapErr: DSID-0C0907C5 ===== | ===== LdapErr: DSID-0C0907C5 ===== | ||
If you see this error when reconciliating AD groups: | If you see this error when reconciliating AD groups: | ||
- | < | + | < |
the likely cause is that some groups have many members. AD has a property MaxPageSize which is probably set to lower than necessary (default is 1000). Increasing the value to an arbitrary large number (30000) helped in our case but only AD admin can change this. | the likely cause is that some groups have many members. AD has a property MaxPageSize which is probably set to lower than necessary (default is 1000). Increasing the value to an arbitrary large number (30000) helped in our case but only AD admin can change this. | ||
Line 251: | Line 270: | ||
Please note that this property is not used in the case that the primary server is accessible on the given port, but there is some other problem with the communication (e.g. the credentials are incorrect). | Please note that this property is not used in the case that the primary server is accessible on the given port, but there is some other problem with the communication (e.g. the credentials are incorrect). | ||
- | The value of this property must be a proper URL, e.g. ''< | + | The value of this property must be a proper URL, e.g. ''< |
===== Video Guide ===== | ===== Video Guide ===== | ||
[[https:// | [[https:// |