Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:manage_ad [2021/03/24 11:25]
apeterova ldapGroups - recommended strategy is Merge 		tutorial:adm:manage_ad [2021/06/25 12:41]
soval [Forced password change (User must change password at next logon)]
Line 1: Line 1:
 ====== Systems - AD: Manage users ====== ====== Systems - AD: Manage users ======
- 
 ===== Introduction ===== ===== Introduction =====
 This tutorial will show you how to connect AD as a target system for users (their accounts) from CzechIdM. We will use an AD bundle connector from ConnId. This tutorial will show you how to connect AD as a target system for users (their accounts) from CzechIdM. We will use an AD bundle connector from ConnId.
 +
 +You can as well use [[tutorial:adm:manage_ad_wizard|newer tutorial to use wizard for AD connection]] - you still will need this page to explain attributes not covered by wizard and troubleshooting.
  
 ===== Before you start ===== ===== Before you start =====
- 
 ==== Adding Active Directory connector ==== ==== Adding Active Directory connector ====
- 
 Since CzechIdM 9.2, the [[https://github.com/bcvsolutions/ad-connector|forked ConnId AD connector]] is bundled inside CzechIdM by default. You can use it out of hand to test the basic functionality. However, it is advised to use the [[devel:documentation:adm:systems:winrm_ad_connector|WinRM + AD connector]] for the production-ready integration of CzechIdM <-> AD, as it enables more complex functionality. Since CzechIdM 9.2, the [[https://github.com/bcvsolutions/ad-connector|forked ConnId AD connector]] is bundled inside CzechIdM by default. You can use it out of hand to test the basic functionality. However, it is advised to use the [[devel:documentation:adm:systems:winrm_ad_connector|WinRM + AD connector]] for the production-ready integration of CzechIdM <-> AD, as it enables more complex functionality.
  
Line 166: Line 165:
   * Attribute with password - true   * Attribute with password - true
  
 +==== Forced password change (User must change password at next logon) ====  
 +When mapping AD attributes, it is sometimes useful to be able to set a forced password change option. This requirement is often set for two different cases:
 +
 +* We need to change the password when logging into AD **for a new user account**
 +* We need to force a password change but **only after a password reset**
 +
 +1/ To force a password change for newly created users, map the **"pwdLastSet"** attribute. The attribute should be in the generated system schema, object "**\_\_ACCOUNT\_\_**" name "pwdLastSet", Data type "java.lang.Boolean". So add the attribute to the mapping and put "return true" in the transformation script(Transformation to system) and set the strategy "Write only on create of the entity".
 +
 +
 +2/ If we need to force password change every time password is reset, map attribute pwdLastSet too, but **with checkbox "Include on password" and "Include only when password is changed"** and strategy "Set value as it is" This can only be set since IdM version 11.0. In the picture you can see the attribute in the active directory.
 +
 +{{:tutorial:adm:user_must_change-password_properties.png|}}
  
 ===== Role for AD ===== ===== Role for AD =====
Line 259: Line 270:
  
 The value of this property must be a proper URL, e.g. ''<nowiki>ldaps://some.hostname:636</nowiki>''. If using multiple values, write each value at a separate line. The value of this property must be a proper URL, e.g. ''<nowiki>ldaps://some.hostname:636</nowiki>''. If using multiple values, write each value at a separate line.
 +
  
 ===== Video Guide ===== ===== Video Guide =====
 [[https://www.youtube.com/watch?v=ZbQCH_BYd-k&list=PLBeAQt3pe3EcdVE8QpCDEJcDsi_jtNQUb&index=7|How to create role for AD group]] - czech language [[https://www.youtube.com/watch?v=ZbQCH_BYd-k&list=PLBeAQt3pe3EcdVE8QpCDEJcDsi_jtNQUb&index=7|How to create role for AD group]] - czech language
  • by neznajf