Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:manage_ad [2021/02/25 08:45] apeterova extensionAttribute1 |
tutorial:adm:manage_ad [2021/06/24 07:07] soval [Password mapping] |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Systems - AD: Manage users ====== | ====== Systems - AD: Manage users ====== | ||
- | |||
===== Introduction ===== | ===== Introduction ===== | ||
This tutorial will show you how to connect AD as a target system for users (their accounts) from CzechIdM. We will use an AD bundle connector from ConnId. | This tutorial will show you how to connect AD as a target system for users (their accounts) from CzechIdM. We will use an AD bundle connector from ConnId. | ||
+ | |||
+ | You can as well use [[tutorial: | ||
===== Before you start ===== | ===== Before you start ===== | ||
- | |||
==== Adding Active Directory connector ==== | ==== Adding Active Directory connector ==== | ||
- | |||
Since CzechIdM 9.2, the [[https:// | Since CzechIdM 9.2, the [[https:// | ||
Line 166: | Line 165: | ||
* Attribute with password - true | * Attribute with password - true | ||
+ | |||
+ | ==== Send additional attributes with password ==== | ||
+ | |||
+ | It's possible to send additional attributes to provisioning, | ||
+ | - send additional attributes together with new password in one provisioning operation | ||
+ | - send additional attributes after password is changed in another provisioning operation | ||
+ | Two ways are be configurable by application configuration '' | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | <note tip> | ||
+ | |||
+ | === Send attribute only on password change === | ||
+ | Since version **11.0.0** a new flag **Send only on password change** was added to the attribute detail. | ||
+ | |||
+ | If is this flag checked, then the attribute will be send to the system only during change of password operation. It means that this attribute will be ignored in standard provisioning operations (create/ | ||
+ | <note important> | ||
===== Role for AD ===== | ===== Role for AD ===== | ||
Line 178: | Line 194: | ||
From now on, every time user gets the role, it is provisioned into the connected system AD. You can see that on users detail menu tab " | From now on, every time user gets the role, it is provisioned into the connected system AD. You can see that on users detail menu tab " | ||
+ | |||
+ | <note important> | ||
Line 188: | Line 206: | ||
* **Group members reference attribute** - usually **member**. This represents the name of the attribute in AD that is present in Group. Its value is usually a DN of the user in the group. | * **Group members reference attribute** - usually **member**. This represents the name of the attribute in AD that is present in Group. Its value is usually a DN of the user in the group. | ||
- | Then continue to AD - users Mappings and edit provisioning mapping. Add there a **ldapGroups** attribute. It is not filled from any identity attribute and has no transformation. (It will be filled from the role). Since the attribute is multivalued, | + | Then continue to AD - users Mappings and edit provisioning mapping. Add there a **ldapGroups** attribute. It is not filled from any identity attribute and has no transformation. (It will be filled from the role). Since the attribute is multivalued, |
- | Get back to your role CRM basic user. In the tab **Systems** add a system **AD - users and roles**, save it. Then add an attribute that will be filled by this role - **ldapGroups**. Again choose the filling strategy **MERGE or AUTH.MERGE**. Then **add a transformation** that is the value of DN of the group in AD ' " ' sign on each side of the text. | + | Get back to your role CRM basic user. In the tab **Systems** add a system **AD - users and roles**, save it. Then add an attribute that will be filled by this role - **ldapGroups**. Again choose the filling strategy **MERGE** (or AUTH.MERGE, make sure to use the same as in the provisioning mapping). Then **add a transformation** that is the value of DN of the group in AD ' " ' sign on each side of the text. |
Thus every user that has the role assigned is added to the group with provided DN via ldapGroups attribute. | Thus every user that has the role assigned is added to the group with provided DN via ldapGroups attribute. | ||
Line 257: | Line 275: | ||
The value of this property must be a proper URL, e.g. ''< | The value of this property must be a proper URL, e.g. ''< | ||
+ | |||
===== Video Guide ===== | ===== Video Guide ===== | ||
[[https:// | [[https:// |