Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:manage_ad [2021/02/12 15:50]
apeterova failover - multiple lines, removed misleading information 		tutorial:adm:manage_ad [2021/06/25 12:41]
soval [Forced password change (User must change password at next logon)]
Line 1: Line 1:
 ====== Systems - AD: Manage users ====== ====== Systems - AD: Manage users ======
- 
 ===== Introduction ===== ===== Introduction =====
 This tutorial will show you how to connect AD as a target system for users (their accounts) from CzechIdM. We will use an AD bundle connector from ConnId. This tutorial will show you how to connect AD as a target system for users (their accounts) from CzechIdM. We will use an AD bundle connector from ConnId.
 +
 +You can as well use [[tutorial:adm:manage_ad_wizard|newer tutorial to use wizard for AD connection]] - you still will need this page to explain attributes not covered by wizard and troubleshooting.
  
 ===== Before you start ===== ===== Before you start =====
- 
 ==== Adding Active Directory connector ==== ==== Adding Active Directory connector ====
- 
 Since CzechIdM 9.2, the [[https://github.com/bcvsolutions/ad-connector|forked ConnId AD connector]] is bundled inside CzechIdM by default. You can use it out of hand to test the basic functionality. However, it is advised to use the [[devel:documentation:adm:systems:winrm_ad_connector|WinRM + AD connector]] for the production-ready integration of CzechIdM <-> AD, as it enables more complex functionality. Since CzechIdM 9.2, the [[https://github.com/bcvsolutions/ad-connector|forked ConnId AD connector]] is bundled inside CzechIdM by default. You can use it out of hand to test the basic functionality. However, it is advised to use the [[devel:documentation:adm:systems:winrm_ad_connector|WinRM + AD connector]] for the production-ready integration of CzechIdM <-> AD, as it enables more complex functionality.
  
Line 91: Line 90:
   * **Uid Attribute** - this is one of the most important option. It defines the primary key/UID of the account. Attribute values will be stored in CzechIdM for each account. Must be unique and should not change. **It is strongly advised to use "sAMAccountName", since connId connector has some problem with returning this specific attribute if mapped by other means.**   * **Uid Attribute** - this is one of the most important option. It defines the primary key/UID of the account. Attribute values will be stored in CzechIdM for each account. Must be unique and should not change. **It is strongly advised to use "sAMAccountName", since connId connector has some problem with returning this specific attribute if mapped by other means.**
   * **Object classes to synchronize** - usually the same as "Entry object classes"   * **Object classes to synchronize** - usually the same as "Entry object classes"
-  * **Specified attributes to be returned** - default "ldapGroups" and "sAMAccountName"+  * **Specified attributes to be returned** - default "ldapGroups" and "sAMAccountName". This option is also used when you need to read attributes from AD, that are not returned by default, a typical example is extensionAttribute1 and other additional attributes.
  
 <note warning>If you are setting this on a Windows server, make sure to delete the 'Specified attributes to be returned' values and write them manually. Otherwise, ldapGroups will not be returned due to some white space problems</note> <note warning>If you are setting this on a Windows server, make sure to delete the 'Specified attributes to be returned' values and write them manually. Otherwise, ldapGroups will not be returned due to some white space problems</note>
Line 166: Line 165:
   * Attribute with password - true   * Attribute with password - true
  
 +==== Forced password change (User must change password at next logon) ====  
 +When mapping AD attributes, it is sometimes useful to be able to set a forced password change option. This requirement is often set for two different cases:
 +
 +* We need to change the password when logging into AD **for a new user account**
 +* We need to force a password change but **only after a password reset**
 +
 +1/ To force a password change for newly created users, map the **"pwdLastSet"** attribute. The attribute should be in the generated system schema, object "**\_\_ACCOUNT\_\_**" name "pwdLastSet", Data type "java.lang.Boolean". So add the attribute to the mapping and put "return true" in the transformation script(Transformation to system) and set the strategy "Write only on create of the entity".
 +
 +
 +2/ If we need to force password change every time password is reset, map attribute pwdLastSet too, but **with checkbox "Include on password" and "Include only when password is changed"** and strategy "Set value as it is" This can only be set since IdM version 11.0. In the picture you can see the attribute in the active directory.
 +
 +{{:tutorial:adm:user_must_change-password_properties.png|}}
  
 ===== Role for AD ===== ===== Role for AD =====
Line 178: Line 189:
  
 From now on, every time user gets the role, it is provisioned into the connected system AD. You can see that on users detail menu tab "Provisioning" or in the audit "Provisioning"  From now on, every time user gets the role, it is provisioned into the connected system AD. You can see that on users detail menu tab "Provisioning" or in the audit "Provisioning" 
 +
 +<note important>Check if the user created in IdM has password according to Active directory password policy, otherwise user can be created in IdM but not provisioned to AD system.</note>
  
  
Line 188: Line 201:
   * **Group members reference attribute** - usually **member**. This represents the name of the attribute in AD that is present in Group. Its value is usually a DN of the user in the group.   * **Group members reference attribute** - usually **member**. This represents the name of the attribute in AD that is present in Group. Its value is usually a DN of the user in the group.
  
-Then continue to AD - users Mappings and edit provisioning mapping. Add there a **ldapGroups** attribute. It is not filled from any identity attribute and has no transformation. (It will be filled from the role). Since the attribute is multivalued, its filling strategy must be either **MERGE or AUTHORITATIVE MERGE**.+Then continue to AD - users Mappings and edit provisioning mapping. Add there a **ldapGroups** attribute. It is not filled from any identity attribute and has no transformation. (It will be filled from the role). Since the attribute is multivalued, its filling strategy must be either **MERGE** (recommended for AD) or AUTHORITATIVE MERGE ([[devel:documentation:adm:systems#synchronizationprovisioning_strategies|info about strategies]]).
  
-Get back to your role CRM basic user. In the tab **Systems** add a system **AD - users and roles**, save it. Then add an attribute that will be filled by this role - **ldapGroups**. Again choose the filling strategy **MERGE or AUTH.MERGE**. Then **add a transformation** that is the value of DN of the group in AD ' " ' sign on each side of the text.+Get back to your role CRM basic user. In the tab **Systems** add a system **AD - users and roles**, save it. Then add an attribute that will be filled by this role - **ldapGroups**. Again choose the filling strategy **MERGE** (or AUTH.MERGE, make sure to use the same as in the provisioning mapping). Then **add a transformation** that is the value of DN of the group in AD ' " ' sign on each side of the text.
  
 Thus every user that has the role assigned is added to the group with provided DN via ldapGroups attribute. Thus every user that has the role assigned is added to the group with provided DN via ldapGroups attribute.
Line 215: Line 228:
  
 If you are running on a Windows server, the 'ldapGroups' in 'Specified attributes to be returned' has the wrong value 'ldapGroups\r' (this is only visible in Audit). The solution is to remove the value in 'Specified attributes to be returned' and write it again manually. If you are running on a Windows server, the 'ldapGroups' in 'Specified attributes to be returned' has the wrong value 'ldapGroups\r' (this is only visible in Audit). The solution is to remove the value in 'Specified attributes to be returned' and write it again manually.
 +
 +===== Mapping extensionAttributes =====
 +
 +AD enables additional attributes named extensionAttribute1 - extensionAttribute10. If you want to fill these attributes by IdM, you must do following steps in the configuration of the connected system:
 +  * Go to **Configuration** -> **Specified attributes to be returned (multi)**, add **extensionAttribute1** to a new line under existing values.
 +  * Go to **Scheme** -> **\_\_ACCOUNT\_\_** -> use the button **Add**, fill in the name **extensionAttribute1**, type "java.lang.String", select able to read, update, create and returned by default.
 +  * Go to **Mapping** -> **Provisioning mapping** -> use the button **Add** and map the attribute according to your choice. The following example can be used when you want to fill the extensionAttribute1 by personal numbers of identities
 +    * Attribute in schema - extensionAttribute1
 +    * Name - extensionAttribute1
 +    * Entity attribute - true
 +    * Entity field - Personal number
  
 ===== Connection via SSL not working ===== ===== Connection via SSL not working =====
Line 224: Line 248:
 ===== LdapErr: DSID-0C0907C5 ===== ===== LdapErr: DSID-0C0907C5 =====
 If you see this error when reconciliating AD groups: If you see this error when reconciliating AD groups:
-<code>org.identityconnectors.framework.common.exceptions.ConnectorException: javax.naming.OperationNotSupportedException: [LDAP: error code 12 - 00000057: LdapErr: DSID-0C0907C5, comment: Error processing control, data 0, v1db1]; remaining name 'OU=BohemiaEnergy,DC=bohemiaenergy,DC=local'</code>+<code>org.identityconnectors.framework.common.exceptions.ConnectorException: javax.naming.OperationNotSupportedException: [LDAP: error code 12 - 00000057: LdapErr: DSID-0C0907C5, comment: Error processing control, data 0, v1db1]; remaining name 'OU=company,DC=domain,DC=tld'</code>
  
 the likely cause is that some groups have many members. AD has a property MaxPageSize which is probably set to lower than necessary (default is 1000). Increasing the value to an arbitrary large number (30000) helped in our case but only AD admin can change this. the likely cause is that some groups have many members. AD has a property MaxPageSize which is probably set to lower than necessary (default is 1000). Increasing the value to an arbitrary large number (30000) helped in our case but only AD admin can change this.
Line 246: Line 270:
  
 The value of this property must be a proper URL, e.g. ''<nowiki>ldaps://some.hostname:636</nowiki>''. If using multiple values, write each value at a separate line. The value of this property must be a proper URL, e.g. ''<nowiki>ldaps://some.hostname:636</nowiki>''. If using multiple values, write each value at a separate line.
 +
  
 ===== Video Guide ===== ===== Video Guide =====
 [[https://www.youtube.com/watch?v=ZbQCH_BYd-k&list=PLBeAQt3pe3EcdVE8QpCDEJcDsi_jtNQUb&index=7|How to create role for AD group]] - czech language [[https://www.youtube.com/watch?v=ZbQCH_BYd-k&list=PLBeAQt3pe3EcdVE8QpCDEJcDsi_jtNQUb&index=7|How to create role for AD group]] - czech language
  • by neznajf