Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:manage_ad [2020/01/07 11:38]
doischert 		tutorial:adm:manage_ad [2021/02/09 19:12]
apeterova removed old info about ConnId - the connector is bundled, reformated some instructions
Line 1: Line 1:
 ====== Systems - AD: Manage users ====== ====== Systems - AD: Manage users ======
-<note warning>This tutorial uses AD bundle connector, which is OBSOLETE. Since CzechIdM v 9.7.x, it is advised to use our new AD+Powershell connector</note> 
  
 ===== Introduction ===== ===== Introduction =====
-This tutorial will show you how to connect AD as a target system for users (their accounts) from CzechIdM. We will use an AD bundle connector from Connid.+This tutorial will show you how to connect AD as a target system for users (their accounts) from CzechIdM. We will use an AD bundle connector from ConnId.
  
 ===== Before you start ===== ===== Before you start =====
Line 9: Line 8:
 ==== Adding Active Directory connector ==== ==== Adding Active Directory connector ====
  
-First of allyou need to download the connector from Connid (e.g. [[http://repo1.maven.org/maven2/net/tirasa/connid/bundles/net.tirasa.connid.bundles.ad/1.3.4/net.tirasa.connid.bundles.ad-1.3.4.jarConnid AD bundle 1.3.4 jar file]]). +Since CzechIdM 9.2, the [[https://github.com/bcvsolutions/ad-connector|forked ConnId AD connector]] is bundled inside CzechIdM by default. You can use it out of hand to test the basic functionalityHoweverit is advised to use the [[devel:documentation:adm:systems:winrm_ad_connector|WinRM + AD connector]] for the production-ready integration of CzechIdM <-> ADas it enables more complex functionality.
-Then add the jar file into CzechIdM folder inside the application server. In case you installed CzechIdM into tomcat by standard installation, the path would be ''/opt/tomcat/current/webapps/idm/WEB-INF/lib/'' +
- +
-<note tip>To preserve the connector during future upgrades of CzechIdM coreput the connector in e.g. /opt/czechidm/lib/ and create symbolic link in the CzechIdM webapp folder: +
-<code> +
-ln -s /opt/czechidm/lib/net.tirasa.connid.bundles.ad-1.3.4.jar /opt/tomcat/current/webapps/idm/WEB-INF/lib/net.tirasa.connid.bundles.ad-1.3.4.jar +
-</code> +
-</note> +
- +
-Then restart the application server. If you had CzechIdM already running in the web browserrefresh also the web browser window (e.g. Ctrl+F5).+
  
 ==== Preparing Active Directory ==== ==== Preparing Active Directory ====
Line 54: Line 44:
   - Choose ''This folder, existing objects in this folder, and creation of new objects in this folder''.   - Choose ''This folder, existing objects in this folder, and creation of new objects in this folder''.
   - Tick the ''Full Control'' checkbox. This will tick all possible checkboxes in the dialog window.   - Tick the ''Full Control'' checkbox. This will tick all possible checkboxes in the dialog window.
-  - Check the summary and finish the wizard. Changes are effective immediatelly.+  - Check the summary and finish the wizard. Changes are effective immediately.
   - Repeat for other subtrees as necessary.   - Repeat for other subtrees as necessary.
  
Line 84: Line 74:
 **Example configuration for our local AD:**  **Example configuration for our local AD:** 
  
-  * **Server hostname** - hostname or IP +  * **SSL** - this is strongly advised to enable and also vital for managing the users' password 
-  * **Server port** - usually 389 or 636 +  * **Server hostname** - hostname of the AD domain controller. (IP address could be used as well, but then it must be stated in the server's certificate Subject Alternative Name) 
-  * **Principal** - login of the user with admin privilege that CzechIdM will use for the connection. DN of the user should work too.+  * **Server port** - typically 636. (389 if not using SSL) 
 +  * **Failover** - an optional list of other domain controllers used in the case that the primary server is not available. Use URL format ''<nowiki>ldaps://123.456.789.012:636</nowiki>''. 
 +  * **Principal** - login@domain of the user with admin privilege that CzechIdM will use for the connection. DN of the user works too.
   * **Principal password** - password of the administrator user   * **Principal password** - password of the administrator user
-  * **Root suffixes** - the list distinguished names of the roots that connector uses for managing users. If you do not want to manage some account, it is advised not to include them in the Root suffixes. When you configure the system for the first time, root suffix should lead to the top container (e.g. DC=aktest,DC=local), so the system schema can be correctly generated.+  * **Root suffixes** - the list distinguished names of the roots that connector uses for managing users. If you do not want to manage some account, it is advised not to include them in the Root suffixes. When you configure the system for the first time, root suffix should lead to the top container (e.g. DC=company,DC=local), so the system schema can be correctly generated.
   * **User search scope** - manage users in specified container or subtrees. Usually subtree   * **User search scope** - manage users in specified container or subtrees. Usually subtree
   * **Entry object classes** - only objects (accounts) with object classes specified there will be managed. Each object class on new line, no comma or another separator. Usual values: top, person, organizationalPerson, user.   * **Entry object classes** - only objects (accounts) with object classes specified there will be managed. Each object class on new line, no comma or another separator. Usual values: top, person, organizationalPerson, user.
-  * **Base contexts for group entry searches** - container in AD where the groups are located. If the groups are in different container then people and the group container is not under the path which is in "Root suffixes". You need to put it here, otherwise connector will not be able to load users groups+  * **Base contexts for group entry searches** - containers in AD where the groups are located. This must be specified if the groups are in different container than people and the group container is not under the path which is in "Root suffixes". You need to put it here, otherwise connector will not be able to load usersgroups membership
   * **Base contexts for user entry searches** - usually the same as "Root suffixes".   * **Base contexts for user entry searches** - usually the same as "Root suffixes".
-  * **Group members reference attribute** - usually "member", use this if you want to manage group membership of user accounts +  * **Group members reference attribute** - typically "member", use this if you want to manage group membership of user accounts 
-  * **pageSize** - this option is only available if you use connector that is customizes by BCV Solutions. Leave it at default (100), if you ask for more than the limit for AD is, you will get an error.+  * **useVlvControls** - enable the option. (This option is only available if you use connector that is customized by BCV solutions) 
 +  * **pageSize** - we advise to set it to **100**. If you let the default 0, or ask for more than the limit for AD is, you will get an error when reading accounts(This option is only available if you use connector that is customized by BCV solutions) 
 +  * **vlvSortAttribute** - set to "sAMAccountName"
   * **Uid Attribute** - this is one of the most important option. It defines the primary key/UID of the account. Attribute values will be stored in CzechIdM for each account. Must be unique and should not change. **It is strongly advised to use "sAMAccountName", since connId connector has some problem with returning this specific attribute if mapped by other means.**   * **Uid Attribute** - this is one of the most important option. It defines the primary key/UID of the account. Attribute values will be stored in CzechIdM for each account. Must be unique and should not change. **It is strongly advised to use "sAMAccountName", since connId connector has some problem with returning this specific attribute if mapped by other means.**
   * **Object classes to synchronize** - usually the same as "Entry object classes"   * **Object classes to synchronize** - usually the same as "Entry object classes"
   * **Specified attributes to be returned** - default "ldapGroups" and "sAMAccountName"   * **Specified attributes to be returned** - default "ldapGroups" and "sAMAccountName"
  
-<note warning>If you are setting this on a Windows server, make sure to delete the 'Specified attributes to be returned' values and write them manually. Otherwise, ldapGroups will not be returned</note>+<note warning>If you are setting this on a Windows server, make sure to delete the 'Specified attributes to be returned' values and write them manually. Otherwise, ldapGroups will not be returned due to some white space problems</note>
  
-<note important>Beware on **useVlvControls** option. CzechIdM now only supports vlv control, so **useVlvControls** option should be enabled and **vlvSortAttribute** must be set (recommended option - 'sAMAccountName').</note>+<note important>Beware on **useVlvControls** option. CzechIdM now only supports vlv control, so **useVlvControls** option should be enabled and **vlvSortAttribute** must be set (recommended option - 'sAMAccountName'). **DO NOT** use **CN**, **distinguishedName** or any other unindexed attribute or you'll end up with "[LDAP: error code 12 - 0000217A: SvcErr: DSID-03140414, problem 5010 (UNAVAIL_EXTENSION), data 0 
 +];" error</note>
  
-<note important>Since connector version 1.3.4.25 we support change of **sAMAccount** name, even if it is used as identifier (in provisioning mapping use sAMAccountName instead of \_\_Uid\_\_)</note>+<note important>Since connector version 1.3.4.25 we support change of **sAMAccountName**, even if it is used as identifier (in provisioning mapping use sAMAccountName instead of \_\_Uid\_\_)</note>
 <note important>Since connector version 1.3.4.25 we support objectGUID as identifier, but only with this property turned off: <code>idm.sec.acc.provisioning.allowedAutoMappingOnExistingAccount=false</code> (in create action you have to send random String, because UID cannot be null and objectGUID will be obtained after create of user/group)</note> <note important>Since connector version 1.3.4.25 we support objectGUID as identifier, but only with this property turned off: <code>idm.sec.acc.provisioning.allowedAutoMappingOnExistingAccount=false</code> (in create action you have to send random String, because UID cannot be null and objectGUID will be obtained after create of user/group)</note>
  
Line 112: Line 107:
 {{ :tutorial:adm:schema_generation.png | Schema generation}} {{ :tutorial:adm:schema_generation.png | Schema generation}}
    
-For user management, we will use ACCOUNT. Click on the detail of the object type and check that the scheme attributes list consists of all attributes you want to manage in AD. If the list doesn't contain any attribute, check that **Root suffixes** in the system configuration contains the value of the top container (so the connector can read the schema definitions).+For user management, we will use \_\_ACCOUNT\_\_. Click on the detail of the object type and check that the scheme attributes list consists of all attributes you want to manage in AD. If the list doesn't contain any attribute or contains 6 or less, check that **Root suffixes** in the system configuration contains the value of the top container (so the connector can read the schema definitions).
  
 If you are connecting AD for the first time, it is a good idea to check some minimal set of attributes that allows you to create an account, which is usually: If you are connecting AD for the first time, it is a good idea to check some minimal set of attributes that allows you to create an account, which is usually:
  
   * sAMAccountName - this attribute is not sometimes generated by default. If so you must create it manually. Use the button **Add**, fill in the name "sAMAccountName", type "java.lang.String", able to read, update, create and returned by default.   * sAMAccountName - this attribute is not sometimes generated by default. If so you must create it manually. Use the button **Add**, fill in the name "sAMAccountName", type "java.lang.String", able to read, update, create and returned by default.
-  * \__ENABLE\__ - if you want to allow disabling a user in AD. Sometimes this attribute is not generated by default, so you can create it manually. +  * \_\_ENABLE\_\_ - if you want to allow disabling a user in AD. Sometimes this attribute is not generated by default, so you can create it manually. Use the button **Add**, fill in the name "\_\_ENABLE\_\_", type "java.lang.Boolean", able to read, update, create and returned by default
-  * \__NAME\__ (synonymous to DN, hard-coded in the connector).+  * \_\_NAME\_\_ (synonymous to DN, hard-coded in the connector). Use the button **Add**, fill in the name "\_\_NAME\_\_", type "java.lang.String", able to read, update, create and returned by default. 
 +  * \_\_PASSWORD\_\_ - this special attribute is used for setting the passwords for user accounts. User in AD can't be activated when a password is not set. This attribute is not created by default in the schema, so you must add it manually: name "\_\_PASSWORD\_\_", type "eu.bcvsolutions.idm.core.security.api.domain.GuardedString", able to update, create 
 +  * ldapGroups - use this attribute if you want to manage users' group membership. This attribute is not created by default, add it manually: name "ldapGroups", type "java.lang.String", able to read, multivalued, able to create, edit, returned by default
  
 <note tip>You do not need to use all of the schema attributes for provisioning afterwards</note> <note tip>You do not need to use all of the schema attributes for provisioning afterwards</note>
Line 126: Line 123:
 If you want to set everything by yourself: If you want to set everything by yourself:
  
-  * Use button **Add** to create a new scheme. For users, you need to name it "**\_\_ACCOUNT\_\_**", because it is a Connid constant+  * Use button **Add** to create a new scheme. For users, you need to name it "**\_\_ACCOUNT\_\_**", because it is a ConnId constant
   * Add all attributes that you want to work with. As a minimum, the "**\_\_NAME\_\_**" and "**sAMAccountName**" attributes should be mapped.   * Add all attributes that you want to work with. As a minimum, the "**\_\_NAME\_\_**" and "**sAMAccountName**" attributes should be mapped.
   * Set all attributes as **Able to read, update, create**.    * Set all attributes as **Able to read, update, create**. 
Line 132: Line 129:
 <note tip>It is possible you will not see the full scheme even with root suffix set to the top container. In that case, check that schemas are not stored separately and if they are, set root suffixes to the appropriate DC.</note> <note tip>It is possible you will not see the full scheme even with root suffix set to the top container. In that case, check that schemas are not stored separately and if they are, set root suffixes to the appropriate DC.</note>
  
-<note warning>In order to activate a user in AD, you must send a password. The attribute password is not created by default in the schema, so you must add it manually: name<nowiki> "__PASSWORD__", </nowiki>type "eu.bcvsolutions.idm.core.security.api.domain.GuardedString". 
-If you want to use the workflow for groups synchronization, you must also create an attribute in schema, this time called "ldapGroups", type "java.lang.String".</note> 
  
 ===== Mapping ===== ===== Mapping =====
Line 148: Line 143:
  
 Then map scheme attributes to entity attributes as described below: Then map scheme attributes to entity attributes as described below:
-  * **sAMAccountName** +**sAMAccountName** 
-    * Name - sAMAccountName +  * Name - sAMAccountName 
-    * Identifier - true +  * Identifier - true 
-    * Entity attribute - true. Means that the attribute will be filled from basic Identity attribute set. +  * Entity attribute - true. Means that the attribute will be filled from basic Identity attribute set. 
-    * Entity field (selectbox) - User name+  * Entity field (selectbox) - User name
  
-<note tip>It is strongly advised to use **\_\_UID\_\_** as an identifier, so that the identifier of the connector is the same as the identifier of the provisioning. Then some advanced CzechIdM features can be used and the debugging is also much easier </note>+<note tip>It is strongly advised to use **sAMAccountName** as an identifier, so that the identifier of the connector is the same as the identifier of the provisioning. Then some advanced CzechIdM features can be used and the debugging is also much easier </note>
  
 Other options may stay with default values. Other options may stay with default values.
  
-**\_\_ENABLE\_\_**, mapping configuration is almost the same as **\_\_UID\_\_**, but do not set it as identifier. Map this schema attribute to entity attribute "Disabled". You should also add transformation to the system, because CzechIdM holds the attribute "disabled" and AD has attribute "enable". So the transformation should return opposite value of the attribute in CzechIdM. To do so, click on the **Insert script** button in "Transformation to system" window and find the script **getOppositeBoolean**. This should fill the window with the script call.+**\_\_ENABLE\_\_**, mapping configuration is almost the same as **sAMAccountName**, but do not set it as identifier. Map this schema attribute to entity attribute "Disabled". You should also add transformation to the system, because CzechIdM holds the attribute "disabled" and AD has attribute "enable". So the transformation should return opposite value of the attribute in CzechIdM. To do so, click on the **Insert script** button in "Transformation to system" window and find the script **getOppositeBoolean**. This will fill the window with the script call, but you must also add the line ''.addParameter('attributeValue', attributeValue)'' after the similar line with "scriptEvaluator" (see [[tutorial:adm:transformation_scripts#a_library_script_use|this tutorial]] for using Standard transformation scripts).
  
 If you also want to create entities in AD, which is probable, map **\_\_NAME\_\_** attribute that holds the DN of the account in AD. The configuration of the attribute may look like: If you also want to create entities in AD, which is probable, map **\_\_NAME\_\_** attribute that holds the DN of the account in AD. The configuration of the attribute may look like:
Line 165: Line 160:
   * Entity attribute - true   * Entity attribute - true
   * Entity field - user name. In case that the DN on AD consists of the login of the user. Otherwise, you should choose other attribute or EAV.   * Entity field - user name. In case that the DN on AD consists of the login of the user. Otherwise, you should choose other attribute or EAV.
-  * The form of the DN varies on each instance of AD, so there usually will be some **transformation to system** like ''return "CN=" + attributeValue + ",OU=employees,DC=yourcompany,DC=com" ''. Of course your tree can be more complex, in that case you should follow some of our tutorials.+  * The form of the DN varies on each instance of AD, so there usually will be some **transformation to system** like ''return "CN=" + attributeValue + ",OU=employees,DC=yourcompany,DC=com" ''. Of course your tree can be more complex, in that case you should follow some of our [[tutorial:adm:transformation_scripts|tutorials]]
  
 ==== Password mapping ==== ==== Password mapping ====
  
-<note tip>If you want to send passwords into Active Directory, you need to configure SSL communication.</note>+If you want to send passwords into Active Directory, you need to configure SSL communication. 
 + 
 +To enable passwords provisioning, add the attribute **\_\_PASSWORD\_\_** to the schema attributes (as written above) and map it as follows: 
 +  * Attribute in schema - \_\_PASSWORD\_\_, 
 +  * Name - \_\_PASSWORD\_\_ 
 +  * Entity attribute - false 
 +  * Attribute with password - true
  
  
Line 184: Line 185:
 From now on, every time user gets the role, it is provisioned into the connected system AD. You can see that on users detail menu tab "Provisioning" or in the audit "Provisioning"  From now on, every time user gets the role, it is provisioned into the connected system AD. You can see that on users detail menu tab "Provisioning" or in the audit "Provisioning" 
  
-Finally, go to menu **Provisioning** and add new one set its **Name** and these fields: 
- 
-  * **Allowed:** true 
-  * **Set of mapped attributes:** Select mapping from previous step. 
-  * **Correlation attribute:** \_\_NAME\_\_ 
- 
-You can leave the rest of configuration at the default values. 
  
 ====== Group membership ====== ====== Group membership ======
Line 196: Line 190:
 If you want to add a user to an AD group via CzechIdM, you need appropriate Role there. So create a role that is almost similar to **AD - Users** above. Give it some better name that represents the group in AD, good idea is to use sAMAccountName or CN e.g. **CRM basic user**. If you want to add a user to an AD group via CzechIdM, you need appropriate Role there. So create a role that is almost similar to **AD - Users** above. Give it some better name that represents the group in AD, good idea is to use sAMAccountName or CN e.g. **CRM basic user**.
  
-In the system AD - users schema setting, you need to have a special attribute defined that add the user to the group. The attribute is usually **ldapGroups**. Be sure, it can be read,create,update,delete. Attribute is multivalued.+In the system AD - users schema setting, you need to have a special attribute defined that add the user to the group. The attribute is named **ldapGroups**. Make sure, it can be read,create,update,delete. Attribute is multivalued.
 In the system configuration tab, there are some configuration properties, that must be set in order to allow group membership management. In the system configuration tab, there are some configuration properties, that must be set in order to allow group membership management.
   * **Group members reference attribute** - usually **member**. This represents the name of the attribute in AD that is present in Group. Its value is usually a DN of the user in the group.   * **Group members reference attribute** - usually **member**. This represents the name of the attribute in AD that is present in Group. Its value is usually a DN of the user in the group.
Line 205: Line 199:
  
 Thus every user that has the role assigned is added to the group with provided DN via ldapGroups attribute. Thus every user that has the role assigned is added to the group with provided DN via ldapGroups attribute.
 +
 +For managing group membership in multi domain AD environment follow [[tutorial:adm:systems_-_manage_groups_membership_in_multi_domain_cross_domain_ad_environment|this tutorial]]
  
 <note important>Merge was fixed in connector version 1.3.4.25. Before Merge behaved like Authoritative Merge</note> <note important>Merge was fixed in connector version 1.3.4.25. Before Merge behaved like Authoritative Merge</note>
Line 237: Line 233:
  
 the likely cause is that some groups have many members. AD has a property MaxPageSize which is probably set to lower than necessary (default is 1000). Increasing the value to an arbitrary large number (30000) helped in our case but only AD admin can change this. the likely cause is that some groups have many members. AD has a property MaxPageSize which is probably set to lower than necessary (default is 1000). Increasing the value to an arbitrary large number (30000) helped in our case but only AD admin can change this.
 +
 +===== SvcErr: DSID-031007E5 - unsupported special characters in DN =====
 +
 +The AD connector doesn't support containers (OU) that contain some special characters in their names, namely the forward slash ("/"). When you try to update some user, whose DN contains this character (even when updating only some other attributes), then the provisioning fails with the following exception:
 +<code>
 +javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-031007E5, problem 5012 (DIR_ERROR), data 0
 +</code>
 +
 +Please rename your containers so they don't contain special characters.
 +
 +See more about this known issue here: https://redmine.czechidm.com/issues/2294.
 +
 +===== Failover =====
 +
 +The configuration property Failover is used when the primary server (configured in the Server hostname) is unavailable. The attribute contains a list of AD servers that connector can use.
 +
 +Please note that this property is not used in the case that the primary server is accessible on the given port, but there is some other problem with the communication (e.g. the credentials are incorrect). 
 +
 +The value of this property must be a proper URL, e.g. ''<nowiki>ldaps://some.hostname:636</nowiki>''.
  
 ===== Video Guide ===== ===== Video Guide =====
 [[https://www.youtube.com/watch?v=ZbQCH_BYd-k&list=PLBeAQt3pe3EcdVE8QpCDEJcDsi_jtNQUb&index=7|How to create role for AD group]] - czech language [[https://www.youtube.com/watch?v=ZbQCH_BYd-k&list=PLBeAQt3pe3EcdVE8QpCDEJcDsi_jtNQUb&index=7|How to create role for AD group]] - czech language
  • by neznajf