Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:manage_ad [2020/01/07 11:38]
doischert 		tutorial:adm:manage_ad [2020/01/14 13:45]
apeterova failover tip
Line 1: Line 1:
 ====== Systems - AD: Manage users ====== ====== Systems - AD: Manage users ======
-<note warning>This tutorial uses AD bundle connector, which is OBSOLETE. Since CzechIdM v 9.7.x, it is advised to use our new AD+Powershell connector</note> 
  
 ===== Introduction ===== ===== Introduction =====
-This tutorial will show you how to connect AD as a target system for users (their accounts) from CzechIdM. We will use an AD bundle connector from Connid.+This tutorial will show you how to connect AD as a target system for users (their accounts) from CzechIdM. We will use an AD bundle connector from ConnId.
  
 ===== Before you start ===== ===== Before you start =====
  
 ==== Adding Active Directory connector ==== ==== Adding Active Directory connector ====
 +
 +<note warning>This tutorial uses AD bundle connector, which is OBSOLETE. Since CzechIdM v 9.7.x, it is advised to use our new AD+Powershell connector</note>
  
 First of all, you need to download the connector from Connid (e.g. [[http://repo1.maven.org/maven2/net/tirasa/connid/bundles/net.tirasa.connid.bundles.ad/1.3.4/net.tirasa.connid.bundles.ad-1.3.4.jar| Connid AD bundle 1.3.4 jar file]]). First of all, you need to download the connector from Connid (e.g. [[http://repo1.maven.org/maven2/net/tirasa/connid/bundles/net.tirasa.connid.bundles.ad/1.3.4/net.tirasa.connid.bundles.ad-1.3.4.jar| Connid AD bundle 1.3.4 jar file]]).
Line 86: Line 87:
   * **Server hostname** - hostname or IP   * **Server hostname** - hostname or IP
   * **Server port** - usually 389 or 636   * **Server port** - usually 389 or 636
 +  * **Failover** - an optional list of other domain controllers used in the case that the primary server is not available. Use URL format ''<nowiki>ldaps://123.456.789.012:636</nowiki>''.
   * **Principal** - login of the user with admin privilege that CzechIdM will use for the connection. DN of the user should work too.   * **Principal** - login of the user with admin privilege that CzechIdM will use for the connection. DN of the user should work too.
   * **Principal password** - password of the administrator user   * **Principal password** - password of the administrator user
Line 237: Line 239:
  
 the likely cause is that some groups have many members. AD has a property MaxPageSize which is probably set to lower than necessary (default is 1000). Increasing the value to an arbitrary large number (30000) helped in our case but only AD admin can change this. the likely cause is that some groups have many members. AD has a property MaxPageSize which is probably set to lower than necessary (default is 1000). Increasing the value to an arbitrary large number (30000) helped in our case but only AD admin can change this.
 +
 +===== Failover =====
 +
 +The configuration property Failover is used when the primary server (configured in the Server hostname) is unavailable. Please note that this property is not used in the case that the primary server is accessible on the given port, but there is some other problem with the communication (e.g. the credentials are incorrect).
 +
 +The value of this property must be a proper URL, e.g. ''<nowiki>ldaps://some.hostname:636</nowiki>''.
  
 ===== Video Guide ===== ===== Video Guide =====
 [[https://www.youtube.com/watch?v=ZbQCH_BYd-k&list=PLBeAQt3pe3EcdVE8QpCDEJcDsi_jtNQUb&index=7|How to create role for AD group]] - czech language [[https://www.youtube.com/watch?v=ZbQCH_BYd-k&list=PLBeAQt3pe3EcdVE8QpCDEJcDsi_jtNQUb&index=7|How to create role for AD group]] - czech language
  • by neznajf