Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:manage_ad [2019/02/27 15:23]
fiserp [Preparing Active Directory] 		tutorial:adm:manage_ad [2019/09/06 08:32]
poulm obsolete tutorial
Line 1: Line 1:
 ====== Systems - AD: Manage users ====== ====== Systems - AD: Manage users ======
 +<note warning>This tutorial uses AD bundle connector, which is OBSOLETE. Since CzechIdM v 9.7.x, it is advised to use our new AD+Powershell connector</note>
  
 ===== Introduction ===== ===== Introduction =====
Line 7: Line 8:
  
 ==== Adding Active Directory connector ==== ==== Adding Active Directory connector ====
 +
 First of all, you need to download the connector from Connid (e.g. [[http://repo1.maven.org/maven2/net/tirasa/connid/bundles/net.tirasa.connid.bundles.ad/1.3.4/net.tirasa.connid.bundles.ad-1.3.4.jar| Connid AD bundle 1.3.4 jar file]]). First of all, you need to download the connector from Connid (e.g. [[http://repo1.maven.org/maven2/net/tirasa/connid/bundles/net.tirasa.connid.bundles.ad/1.3.4/net.tirasa.connid.bundles.ad-1.3.4.jar| Connid AD bundle 1.3.4 jar file]]).
 Then add the jar file into CzechIdM folder inside the application server. In case you installed CzechIdM into tomcat by standard installation, the path would be ''/opt/tomcat/current/webapps/idm/WEB-INF/lib/'' Then add the jar file into CzechIdM folder inside the application server. In case you installed CzechIdM into tomcat by standard installation, the path would be ''/opt/tomcat/current/webapps/idm/WEB-INF/lib/''
Line 41: Line 43:
 Which subtrees you need to grant privileges on depends on the actual directory tree of your Active Directory. Which subtrees you need to grant privileges on depends on the actual directory tree of your Active Directory.
  
-**Granting full control to user**+**Granting full control to CzechIdM application user**
  
 The process is fairly straightforward. Just repeat it for every root of every subtree you need to grant the rights on. The process is fairly straightforward. Just repeat it for every root of every subtree you need to grant the rights on.
Line 55: Line 57:
   - Repeat for other subtrees as necessary.   - Repeat for other subtrees as necessary.
  
 +<note important>
 +**CzechIdM has to have access to objects directly referenced from objects you manage.**
  
 +For example:
 +
 +A user is member of some groups, this is noted in his ''member'' attribute. If you want to manage the ''member'' attribute, the CzechIdM also has to have full access to the subtree with user groups.
 +However this requirement is not transitive in groups hierarchy.
 +In AD, you have a ''Groups\Domain Users'' group and every domain user is a member of this group. This means that every domain user has a ''member'' attribute which contains the ''Groups\Domain Users'' group DN.
 +But the ''Groups\Domain Users'' is itself a member of ''Builtin\Users'' group.
 +
 +If you want to manage your users and their group membership, you therefore need to grant full control on ''Users'' (to manage users) and ''Groups'' (because this is where ''Domain Users'' group is) **even if you do not want to manage groups themselves**. This is because of consistency checks performed by CzechIdM upon account provisioning.
 +
 +But you **do not need** to grant anything on ''Builtin'' because this is referenced from an user account only indirectly.
 +</note>
 ===== Basic configuration ===== ===== Basic configuration =====
 Go to **Systems** from main menu, then above list of current systems use Add button. On the first page just fill system name.  Go to **Systems** from main menu, then above list of current systems use Add button. On the first page just fill system name. 
Line 76: Line 91:
   * **User search scope** - manage users in specified container or subtrees. Usually subtree   * **User search scope** - manage users in specified container or subtrees. Usually subtree
   * **Entry object classes** - only objects (accounts) with object classes specified there will be managed. Each object class on new line, no comma or another separator. Usual values: top, person, organizationalPerson, inetOrgPerson,   * **Entry object classes** - only objects (accounts) with object classes specified there will be managed. Each object class on new line, no comma or another separator. Usual values: top, person, organizationalPerson, inetOrgPerson,
 +  * **Base contexts for group entry searches** - container in AD where the groups are located. If the groups are in different container then people and the group container is not under the path which is in "Root suffixes". You need to put it here, otherwise connector will not be able to load users groups
   * **Base contexts for user entry searches** - usually the same as "Root suffixes".   * **Base contexts for user entry searches** - usually the same as "Root suffixes".
   * **Group members reference attribute** - usually "member", use this if you want to manage group membership of user accounts   * **Group members reference attribute** - usually "member", use this if you want to manage group membership of user accounts
Line 197: Line 213:
  
 {{ :tutorial:adm:ad_user_properties_general.png | CN = Name }} {{ :tutorial:adm:ad_user_properties_general.png | CN = Name }}
 +
 +===== Connection via SSL not working =====
 +If you just imported root certificate to IdM truststore, but SSL connection to AD is still not working try following method to find which server hostname you should use.
 +Configure connection via SSL to AD in Apache Directory Studio during connection you will see this window:
 +{{:tutorial:adm:trust.png?400|}}
 +click on View certificate -> tab General -> field Issued To -> Common name(CN) and use this value as server hostname.
  
 ===== Video Guide ===== ===== Video Guide =====
 [[https://www.youtube.com/watch?v=ZbQCH_BYd-k&list=PLBeAQt3pe3EcdVE8QpCDEJcDsi_jtNQUb&index=7|How to create role for AD group]] - czech language [[https://www.youtube.com/watch?v=ZbQCH_BYd-k&list=PLBeAQt3pe3EcdVE8QpCDEJcDsi_jtNQUb&index=7|How to create role for AD group]] - czech language
  • by neznajf