| Both sides previous revision
Previous revision
|
|
tutorial:adm:manage_ad [2021/08/11 06:47]
neznajf Corrected \_\_ to __ |
tutorial:adm:manage_ad [2021/08/11 06:50] (current)
neznajf old revision restored (2021/06/25 12:41) |
| <note important>Beware on **useVlvControls** option. CzechIdM now only supports vlv control, so **useVlvControls** option should be enabled and **vlvSortAttribute** must be set (recommended option - 'sAMAccountName'). **DO NOT** use **CN**, **distinguishedName** or any other unindexed attribute or you'll end up with "[LDAP: error code 12 - 0000217A: SvcErr: DSID-03140414, problem 5010 (UNAVAIL_EXTENSION), data 0 ];" error</note> | <note important>Beware on **useVlvControls** option. CzechIdM now only supports vlv control, so **useVlvControls** option should be enabled and **vlvSortAttribute** must be set (recommended option - 'sAMAccountName'). **DO NOT** use **CN**, **distinguishedName** or any other unindexed attribute or you'll end up with "[LDAP: error code 12 - 0000217A: SvcErr: DSID-03140414, problem 5010 (UNAVAIL_EXTENSION), data 0 ];" error</note> |
| |
| <note important>Since connector version 1.3.4.25 we support change of **sAMAccountName**, even if it is used as identifier (in provisioning mapping use sAMAccountName instead of __Uid__)</note> <note important>Since connector version 1.3.4.25 we support objectGUID as identifier, but only with this property turned off: | <note important>Since connector version 1.3.4.25 we support change of **sAMAccountName**, even if it is used as identifier (in provisioning mapping use sAMAccountName instead of \_\_Uid\_\_)</note> <note important>Since connector version 1.3.4.25 we support objectGUID as identifier, but only with this property turned off: |
| <code> | <code> |
| |
| You can let CzechIdM generate a scheme for you by clicking on **Generate scheme** button and that is also the preferred way. For MS AD, the connector usually creates 3 object types. \__ACCOUNTS\__, \__ALL\__, \__GROUP\__. {{ .:schema_generation.png | Schema generation}} | You can let CzechIdM generate a scheme for you by clicking on **Generate scheme** button and that is also the preferred way. For MS AD, the connector usually creates 3 object types. \__ACCOUNTS\__, \__ALL\__, \__GROUP\__. {{ .:schema_generation.png | Schema generation}} |
| |
| For user management, we will use __ACCOUNT__. Click on the detail of the object type and check that the scheme attributes list consists of all attributes you want to manage in AD. If the list doesn't contain any attribute or contains 6 or less, check that **Root suffixes** in the system configuration contains the value of the top container (so the connector can read the schema definitions). | For user management, we will use \_\_ACCOUNT\_\_. Click on the detail of the object type and check that the scheme attributes list consists of all attributes you want to manage in AD. If the list doesn't contain any attribute or contains 6 or less, check that **Root suffixes** in the system configuration contains the value of the top container (so the connector can read the schema definitions). |
| |
| If you are connecting AD for the first time, it is a good idea to check some minimal set of attributes that allows you to create an account, which is usually: | If you are connecting AD for the first time, it is a good idea to check some minimal set of attributes that allows you to create an account, which is usually: |
| |
| * sAMAccountName - this attribute is sometimes not generated by default (mainly if it isn't used as Uid). If so, you must create it manually. Use the button **Add**, fill in the name "sAMAccountName", type "java.lang.String", able to read, update, create and returned by default. | * sAMAccountName - this attribute is sometimes not generated by default (mainly if it isn't used as Uid). If so, you must create it manually. Use the button **Add**, fill in the name "sAMAccountName", type "java.lang.String", able to read, update, create and returned by default. |
| * __ENABLE__ - if you want to allow disabling a user in AD. This attribute is not generated by default, so you can create it manually. Use the button **Add**, fill in the name "__ENABLE__" type "java.lang.Boolean", able to read, update, create and returned by default. * __NAME__ (synonymous to DN, hard-coded in the connector). This attribute should be generated by default. If not, use the button **Add**, fill in the name "__NAME__", type "java.lang.String", able to read, update, create and returned by default. | * _\_ENABLE_\_ - if you want to allow disabling a user in AD. This attribute is not generated by default, so you can create it manually. Use the button **Add**, fill in the name "\_\_ENABLE\_\__ckgedit>, type "java.lang.Boolean", able to read, update, create and returned by default. * \_\_NAME\_\_ (synonymous to DN, hard-coded in the connector). This attribute should be generated by default. If not, use the button **Add**, fill in the name "\_\_NAME\_\__ckgedit>, type "java.lang.String", able to read, update, create and returned by default. |
| * __PASSWORD__ - this special attribute is used for setting the passwords for user accounts. User in AD can't be activated when a password is not set. This attribute is not created by default in the schema, so you must add it manually: name "__PASSWORD__", type "eu.bcvsolutions.idm.core.security.api.domain.GuardedString", able to update, create | * \_\_PASSWORD\_\_ - this special attribute is used for setting the passwords for user accounts. User in AD can't be activated when a password is not set. This attribute is not created by default in the schema, so you must add it manually: name "\_\_PASSWORD\_\_", type "eu.bcvsolutions.idm.core.security.api.domain.GuardedString", able to update, create |
| * ldapGroups - use this attribute if you want to manage users' group membership. This attribute is not created by default, add it manually: name "ldapGroups", type "java.lang.String", able to read, multivalued, able to create, edit, returned by default | * ldapGroups - use this attribute if you want to manage users' group membership. This attribute is not created by default, add it manually: name "ldapGroups", type "java.lang.String", able to read, multivalued, able to create, edit, returned by default |
| |
| |
| * **Operation type:** Provisioning - we want to manage data in AD from CzechIdM | * **Operation type:** Provisioning - we want to manage data in AD from CzechIdM |
| * **Object name:** __ACCOUNT__ - this is a standard type of scheme object in AD | * **Object name:** \_\_ACCOUNT\_\_ - this is a standard type of scheme object in AD |
| * **Entity type:** Identity - this entity type in CzechIdM we want to provision | * **Entity type:** Identity - this entity type in CzechIdM we want to provision |
| * As **Mapping name** set whatever you want, for example **AD users prov mapping**. | * As **Mapping name** set whatever you want, for example **AD users prov mapping**. |
| Other options may stay with default values. | Other options may stay with default values. |
| |
| **__ENABLE__**, mapping configuration is almost the same as **sAMAccountName**, but do not set it as identifier. Map this schema attribute to entity attribute "Disabled". You should also add transformation to the system, because CzechIdM holds the attribute "disabled" and AD has attribute "enable". So the transformation should return opposite value of the attribute in CzechIdM. To do so, click on the **Insert script** button in "Transformation to system" window and find the script **getOppositeBoolean**. This will fill the window with the script call, but you must also add the line ''.addParameter('attributeValue', attributeValue)'' after the similar line with "scriptEvaluator" (see [[.:transformation_scripts#a_library_script_use|this tutorial]] for using Standard transformation scripts). | **\_\_ENABLE\_\_**, mapping configuration is almost the same as **sAMAccountName**, but do not set it as identifier. Map this schema attribute to entity attribute "Disabled". You should also add transformation to the system, because CzechIdM holds the attribute "disabled" and AD has attribute "enable". So the transformation should return opposite value of the attribute in CzechIdM. To do so, click on the **Insert script** button in "Transformation to system" window and find the script **getOppositeBoolean**. This will fill the window with the script call, but you must also add the line ''.addParameter('attributeValue', attributeValue)'' after the similar line with "scriptEvaluator" (see [[.:transformation_scripts#a_library_script_use|this tutorial]] for using Standard transformation scripts). |
| |
| If you also want to create entities in AD, which is probable, map **__NAME__** attribute that holds the DN of the account in AD. The configuration of the attribute may look like: | If you also want to create entities in AD, which is probable, map **\_\_NAME\_\_** attribute that holds the DN of the account in AD. The configuration of the attribute may look like: |
| |
| * Attribute in schema - __NAME__, | * Attribute in schema - \_\_NAME\_\_, |
| * Name - DN(__NAME__) | * Name - DN(\_\_NAME\_\_) |
| * Entity attribute - true | * Entity attribute - true |
| * Entity field - user name. In case that the DN on AD consists of the login of the user. Otherwise, you should choose other attribute or EAV. | * Entity field - user name. In case that the DN on AD consists of the login of the user. Otherwise, you should choose other attribute or EAV. |
| If you want to send passwords into Active Directory, you need to configure SSL communication. | If you want to send passwords into Active Directory, you need to configure SSL communication. |
| |
| To enable passwords provisioning, add the attribute **__PASSWORD__** to the schema attributes (as written above) and map it as follows: | To enable passwords provisioning, add the attribute **\_\_PASSWORD\_\_** to the schema attributes (as written above) and map it as follows: |
| |
| * Attribute in schema - __PASSWORD__, | * Attribute in schema - \_\_PASSWORD\_\_, |
| * Name - __PASSWORD__ | * Name - \_\_PASSWORD\_\_ |
| * Entity attribute - false | * Entity attribute - false |
| * Attribute with password - true | * Attribute with password - true |
| * We need to change the password when logging into AD **for a new user account** * We need to force a password change but **only after a password reset** | * We need to change the password when logging into AD **for a new user account** * We need to force a password change but **only after a password reset** |
| |
| 1/ To force a password change for newly created users, map the **"pwdLastSet"** attribute. The attribute should be in the generated system schema, object "**__ACCOUNT__**" name "pwdLastSet", Data type "java.lang.Boolean". So add the attribute to the mapping and put "return true" in the transformation script(Transformation to system) and set the strategy "Write only on create of the entity". | 1/ To force a password change for newly created users, map the **"pwdLastSet"** attribute. The attribute should be in the generated system schema, object "**\_\_ACCOUNT\_\_**" name "pwdLastSet", Data type "java.lang.Boolean". So add the attribute to the mapping and put "return true" in the transformation script(Transformation to system) and set the strategy "Write only on create of the entity". |
| |
| 2/ If we need to force password change every time password is reset, map attribute pwdLastSet too, but **with checkbox "Include on password" and "Include only when password is changed"** and strategy "Set value as it is". This can only be set since IdM version 11.0. In the picture you can see the attribute in the active directory. | 2/ If we need to force password change every time password is reset, map attribute pwdLastSet too, but **with checkbox "Include on password" and "Include only when password is changed"** and strategy "Set value as it is". This can only be set since IdM version 11.0. In the picture you can see the attribute in the active directory. |
| |
| * Go to **Configuration** → **Specified attributes to be returned (multi)**, add **extensionAttribute1** to a new line under existing values. | * Go to **Configuration** → **Specified attributes to be returned (multi)**, add **extensionAttribute1** to a new line under existing values. |
| * Go to **Scheme** → **__ACCOUNT__** → use the button **Add**, fill in the name **extensionAttribute1**, type "java.lang.String", select able to read, update, create and returned by default. | * Go to **Scheme** → **\_\_ACCOUNT\_\_** → use the button **Add**, fill in the name **extensionAttribute1**, type "java.lang.String", select able to read, update, create and returned by default. |
| * Go to **Mapping** → **Provisioning mapping** → use the button **Add** and map the attribute according to your choice. The following example can be used when you want to fill the extensionAttribute1 by personal numbers of identities | * Go to **Mapping** → **Provisioning mapping** → use the button **Add** and map the attribute according to your choice. The following example can be used when you want to fill the extensionAttribute1 by personal numbers of identities |
| * Attribute in schema - extensionAttribute1 | * Attribute in schema - extensionAttribute1 |