Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
tutorial:adm:manage_ad [2019/11/20 12:16]
doischert [Distinguished Name (DN), Common Name (CN)]
tutorial:adm:manage_ad [2020/05/28 10:13] (current)
apeterova default pageSize is 0
Line 1: Line 1:
 ====== Systems - AD: Manage users ====== ====== Systems - AD: Manage users ======
-<note warning>​This tutorial uses AD bundle connector, which is OBSOLETE. Since CzechIdM v 9.7.x, it is advised to use our new AD+Powershell connector</​note>​ 
  
 ===== Introduction ===== ===== Introduction =====
-This tutorial will show you how to connect AD as a target system for users (their accounts) from CzechIdM. We will use an AD bundle connector from Connid.+This tutorial will show you how to connect AD as a target system for users (their accounts) from CzechIdM. We will use an AD bundle connector from ConnId.
  
 ===== Before you start ===== ===== Before you start =====
  
 ==== Adding Active Directory connector ==== ==== Adding Active Directory connector ====
 +
 +<note warning>​This tutorial uses AD bundle connector, which is OBSOLETE. Since CzechIdM v 9.7.x, it is advised to use our new AD+Powershell connector</​note>​
  
 First of all, you need to download the connector from Connid (e.g. [[http://​repo1.maven.org/​maven2/​net/​tirasa/​connid/​bundles/​net.tirasa.connid.bundles.ad/​1.3.4/​net.tirasa.connid.bundles.ad-1.3.4.jar| Connid AD bundle 1.3.4 jar file]]). First of all, you need to download the connector from Connid (e.g. [[http://​repo1.maven.org/​maven2/​net/​tirasa/​connid/​bundles/​net.tirasa.connid.bundles.ad/​1.3.4/​net.tirasa.connid.bundles.ad-1.3.4.jar| Connid AD bundle 1.3.4 jar file]]).
Line 86: Line 87:
   * **Server hostname** - hostname or IP   * **Server hostname** - hostname or IP
   * **Server port** - usually 389 or 636   * **Server port** - usually 389 or 636
 +  * **Failover** - an optional list of other domain controllers used in the case that the primary server is not available. Use URL format ''<​nowiki>​ldaps://​123.456.789.012:​636</​nowiki>''​.
   * **Principal** - login of the user with admin privilege that CzechIdM will use for the connection. DN of the user should work too.   * **Principal** - login of the user with admin privilege that CzechIdM will use for the connection. DN of the user should work too.
   * **Principal password** - password of the administrator user   * **Principal password** - password of the administrator user
Line 94: Line 96:
   * **Base contexts for user entry searches** - usually the same as "Root suffixes"​.   * **Base contexts for user entry searches** - usually the same as "Root suffixes"​.
   * **Group members reference attribute** - usually "​member",​ use this if you want to manage group membership of user accounts   * **Group members reference attribute** - usually "​member",​ use this if you want to manage group membership of user accounts
-  * **pageSize** - this option is only available if you use connector that is customizes by BCV Solutions. ​Leave it at default (100), if you ask for more than the limit for AD is, you will get an error.+  * **pageSize** - this option is only available if you use connector that is customizes by BCV Solutions. ​Set it to default (100), if you ask for more than the limit for AD is, you will get an error.
   * **Uid Attribute** - this is one of the most important option. It defines the primary key/UID of the account. Attribute values will be stored in CzechIdM for each account. Must be unique and should not change. **It is strongly advised to use "​sAMAccountName",​ since connId connector has some problem with returning this specific attribute if mapped by other means.**   * **Uid Attribute** - this is one of the most important option. It defines the primary key/UID of the account. Attribute values will be stored in CzechIdM for each account. Must be unique and should not change. **It is strongly advised to use "​sAMAccountName",​ since connId connector has some problem with returning this specific attribute if mapped by other means.**
   * **Object classes to synchronize** - usually the same as "Entry object classes"​   * **Object classes to synchronize** - usually the same as "Entry object classes"​
Line 101: Line 103:
 <note warning>​If you are setting this on a Windows server, make sure to delete the '​Specified attributes to be returned'​ values and write them manually. Otherwise, ldapGroups will not be returned. </​note>​ <note warning>​If you are setting this on a Windows server, make sure to delete the '​Specified attributes to be returned'​ values and write them manually. Otherwise, ldapGroups will not be returned. </​note>​
  
-<note important>​Beware on **useVlvControls** option. CzechIdM now only supports vlv control, so **useVlvControls** option should be enabled and **vlvSortAttribute** must be set (recommended option - '​sAMAccountName'​).</​note>​+<note important>​Beware on **useVlvControls** option. CzechIdM now only supports vlv control, so **useVlvControls** option should be enabled and **vlvSortAttribute** must be set (recommended option - '​sAMAccountName'​). ​**DO NOT** use **CN**, **distinguishedName** or any other unindexed attribute or you'll end up with "​[LDAP:​ error code 12 - 0000217A: SvcErr: DSID-03140414,​ problem 5010 (UNAVAIL_EXTENSION),​ data 0 
 +];" error</​note>​
  
 <note important>​Since connector version 1.3.4.25 we support change of **sAMAccount** name, even if it is used as identifier (in provisioning mapping use sAMAccountName instead of \_\_Uid\_\_)</​note>​ <note important>​Since connector version 1.3.4.25 we support change of **sAMAccount** name, even if it is used as identifier (in provisioning mapping use sAMAccountName instead of \_\_Uid\_\_)</​note>​
Line 205: Line 208:
  
 Thus every user that has the role assigned is added to the group with provided DN via ldapGroups attribute. Thus every user that has the role assigned is added to the group with provided DN via ldapGroups attribute.
 +
 +For managing group membership in multi domain AD environment follow [[tutorial:​adm:​systems_-_manage_groups_membership_in_multi_domain_cross_domain_ad_environment|this tutorial]]
  
 <note important>​Merge was fixed in connector version 1.3.4.25. Before Merge behaved like Authoritative Merge</​note>​ <note important>​Merge was fixed in connector version 1.3.4.25. Before Merge behaved like Authoritative Merge</​note>​
Line 225: Line 230:
  
 If you are running on a Windows server, the '​ldapGroups'​ in '​Specified attributes to be returned'​ has the wrong value '​ldapGroups\r'​ (this is only visible in Audit). The solution is to remove the value in '​Specified attributes to be returned'​ and write it again manually. If you are running on a Windows server, the '​ldapGroups'​ in '​Specified attributes to be returned'​ has the wrong value '​ldapGroups\r'​ (this is only visible in Audit). The solution is to remove the value in '​Specified attributes to be returned'​ and write it again manually.
 +
 ===== Connection via SSL not working ===== ===== Connection via SSL not working =====
 If you just imported root certificate to IdM truststore, but SSL connection to AD is still not working try following method to find which server hostname you should use. If you just imported root certificate to IdM truststore, but SSL connection to AD is still not working try following method to find which server hostname you should use.
Line 230: Line 236:
 {{:​tutorial:​adm:​trust.png?​400|}} {{:​tutorial:​adm:​trust.png?​400|}}
 click on View certificate -> tab General -> field Issued To -> Common name(CN) and use this value as server hostname. click on View certificate -> tab General -> field Issued To -> Common name(CN) and use this value as server hostname.
 +
 +===== LdapErr: DSID-0C0907C5 =====
 +If you see this error when reconciliating AD groups:
 +<​code>​org.identityconnectors.framework.common.exceptions.ConnectorException:​ javax.naming.OperationNotSupportedException:​ [LDAP: error code 12 - 00000057: LdapErr: DSID-0C0907C5,​ comment: Error processing control, data 0, v1db1]; remaining name '​OU=BohemiaEnergy,​DC=bohemiaenergy,​DC=local'</​code>​
 +
 +the likely cause is that some groups have many members. AD has a property MaxPageSize which is probably set to lower than necessary (default is 1000). Increasing the value to an arbitrary large number (30000) helped in our case but only AD admin can change this.
 +
 +===== Failover =====
 +
 +The configuration property Failover is used when the primary server (configured in the Server hostname) is unavailable. The attribute contains a list of AD servers that connector can use.
 +
 +Please note that this property is not used in the case that the primary server is accessible on the given port, but there is some other problem with the communication (e.g. the credentials are incorrect). ​
 +
 +The value of this property must be a proper URL, e.g. ''<​nowiki>​ldaps://​some.hostname:​636</​nowiki>''​.
  
 ===== Video Guide ===== ===== Video Guide =====
 [[https://​www.youtube.com/​watch?​v=ZbQCH_BYd-k&​list=PLBeAQt3pe3EcdVE8QpCDEJcDsi_jtNQUb&​index=7|How to create role for AD group]] - czech language [[https://​www.youtube.com/​watch?​v=ZbQCH_BYd-k&​list=PLBeAQt3pe3EcdVE8QpCDEJcDsi_jtNQUb&​index=7|How to create role for AD group]] - czech language