Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:manage_ad [2021/02/25 08:45] apeterova extensionAttribute1 |
tutorial:adm:manage_ad [2021/06/24 07:43] soval [Send additional attributes with password] |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Systems - AD: Manage users ====== | ====== Systems - AD: Manage users ====== | ||
- | |||
===== Introduction ===== | ===== Introduction ===== | ||
This tutorial will show you how to connect AD as a target system for users (their accounts) from CzechIdM. We will use an AD bundle connector from ConnId. | This tutorial will show you how to connect AD as a target system for users (their accounts) from CzechIdM. We will use an AD bundle connector from ConnId. | ||
+ | |||
+ | You can as well use [[tutorial: | ||
===== Before you start ===== | ===== Before you start ===== | ||
- | |||
==== Adding Active Directory connector ==== | ==== Adding Active Directory connector ==== | ||
- | |||
Since CzechIdM 9.2, the [[https:// | Since CzechIdM 9.2, the [[https:// | ||
Line 165: | Line 164: | ||
* Entity attribute - false | * Entity attribute - false | ||
* Attribute with password - true | * Attribute with password - true | ||
+ | |||
Line 178: | Line 178: | ||
From now on, every time user gets the role, it is provisioned into the connected system AD. You can see that on users detail menu tab " | From now on, every time user gets the role, it is provisioned into the connected system AD. You can see that on users detail menu tab " | ||
+ | |||
+ | <note important> | ||
Line 188: | Line 190: | ||
* **Group members reference attribute** - usually **member**. This represents the name of the attribute in AD that is present in Group. Its value is usually a DN of the user in the group. | * **Group members reference attribute** - usually **member**. This represents the name of the attribute in AD that is present in Group. Its value is usually a DN of the user in the group. | ||
- | Then continue to AD - users Mappings and edit provisioning mapping. Add there a **ldapGroups** attribute. It is not filled from any identity attribute and has no transformation. (It will be filled from the role). Since the attribute is multivalued, | + | Then continue to AD - users Mappings and edit provisioning mapping. Add there a **ldapGroups** attribute. It is not filled from any identity attribute and has no transformation. (It will be filled from the role). Since the attribute is multivalued, |
- | Get back to your role CRM basic user. In the tab **Systems** add a system **AD - users and roles**, save it. Then add an attribute that will be filled by this role - **ldapGroups**. Again choose the filling strategy **MERGE or AUTH.MERGE**. Then **add a transformation** that is the value of DN of the group in AD ' " ' sign on each side of the text. | + | Get back to your role CRM basic user. In the tab **Systems** add a system **AD - users and roles**, save it. Then add an attribute that will be filled by this role - **ldapGroups**. Again choose the filling strategy **MERGE** (or AUTH.MERGE, make sure to use the same as in the provisioning mapping). Then **add a transformation** that is the value of DN of the group in AD ' " ' sign on each side of the text. |
Thus every user that has the role assigned is added to the group with provided DN via ldapGroups attribute. | Thus every user that has the role assigned is added to the group with provided DN via ldapGroups attribute. | ||
Line 257: | Line 259: | ||
The value of this property must be a proper URL, e.g. ''< | The value of this property must be a proper URL, e.g. ''< | ||
+ | |||
===== Video Guide ===== | ===== Video Guide ===== | ||
[[https:// | [[https:// |