Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
tutorial:adm:manage_ldap [2019/08/08 15:18] – [Provisioning] poulmtutorial:adm:manage_ldap [2025/10/03 10:22] (current) fiserp
Line 1: Line 1:
 ====== Systems - LDAP: Manage users ====== ====== Systems - LDAP: Manage users ======
- 
 ===== Introduction ===== ===== Introduction =====
-This tutorial will show you how to connect LDAP as target system for users from CzechIdM. We will use default LDAP connector from ConnId.+This tutorial will guide you through connecting LDAP as target system for user management within CzechIdM. We will utilize the default LDAP connector provided by ConnId.
  
 ===== Basic configuration ===== ===== Basic configuration =====
-Go to **Systems** from main menu, then above list of current systems use Add button. On first page just fill system name. On the same page you may need to set new password policy in case that your default policy does not meet your all requirements of your LDAP configuration.+Navigate to the **Systems** section from the main menu. Use the **Add** button above the list of current systems. On the first page, simply enter the system name. If your default password policy does not meet your LDAP configuration requirements, you may need to configure a new password policy here.
  
 ===== Connector configuration ===== ===== Connector configuration =====
 +In the next step, switch to the **Configuration** menu of your new system. First, select the connector, which in this case is the **LDAP connector**. This will open the specific configuration for this connector.  
 +Thereafter, fill in the important fields.
  
-In next step switch to menu **Configuration** of your new system. At first you need to choose connector, which in this case is **LDAP connector**. It will open specific configuration for that choice. +//Example configuration for our local LDAP:// TODO  
- +
-Thereafter fill important fields. +
- +
-**Example configuration for our local LDAP:** TODO+
  
 <note important> <note important>
-Switch on **Use VLV Controls** and set **VLV Sort Attribute** to the same value as **Uid Attribute**. Otherwise, searching of accounts doesn't work well in the current version of LDAP connector (first result is skipped due to a bug).+Enable **Use VLV Controls** and set the **VLV Sort Attribute** to the same value as the **Uid Attribute**. Otherwise, account searches may not function correctly in the current version of the LDAP connector (the first result is skipped due to a bug).
 </note> </note>
 +
 +==== Base Contexts ====
 +The **Base Contexts** property contains one or more starting points in the LDAP directory tree used for searches.  
 +When running synchronization in reconciliation mode, the connector initiates a search for every value in the Base Context separately. The search uses paging, meaning entries are processed in blocks of (by default) 100 records according to the configured (VLV) sort. Be cautious if you have multiple values in the Base Contexts and you **modify distinguished names** of entries **during reconciliation**. If entries are moved to a different base, other entries may be omitted due to paging and fall into the **Missing account** state. Try to avoid this use case at all.
  
 ===== Scheme ===== ===== Scheme =====
-For next step, go to menu **Scheme** on your system. +Proceed to the **Scheme** menu on your system.   
- +You can let CzechIdM generate the scheme for you by clicking the **Generate scheme** button.   
-You can let CzechIdM generate scheme for you by click on **Generate scheme** button. +<note> 
-But if you want to set everything by yourself+Generating a scheme typically marks most attributes as **multivalued** (even for e.g. givenName, sn, cn). This may be acceptable, but could complicate things if you intend to populate these attributes from EAVs and transform them - [[https://redmine.czechidm.com/issues/2452|see more]].   
- +Make sure to verify what was generated. 
-  * Use button **Add** for create new scheme. For users you need to name it "**\_\_ACCOUNT\_\_**"because it is ConnId constant +</note>   
-  * Add all file columns which you want to work with. Instead of name of your identifier column use ConnId constant "**\_\_NAME\_\_**" +If you prefer to configure everything manually:   
-  * Set all attributes as **Able to read** +   * Use the **Add** button to create new scheme. For usersname it ''%%__ACCOUNT__%%''as this is ConnId constant.   
- +   * Add all file columns you want to work with. Use the ConnId constant ''%%__NAME__%%'' for your identifier column.   
-//Example scheme:// TODO +   * Set all attributes as **Able to read**.   
- +//Example scheme:// TODO  
 <note tip> <note tip>
-The attribute **uid** must be set with the following checkboxes: Able to read, Able to create, Returned by default. The checkbox "able to createis important especially if you manage posixGroups. The LDAP connector requires the attribute "uidduring create, if "posixGroupsis also set. Otherwise it throws an error "Cannot add entry "uid=john.doe,ou=people,o=domain,c=tld" to POSIX groups because it does not have a "uid" attribute". +The **uid** attribute must have the following checkboxes enabled**Able to read****Able to create**and **Returned by default**. The **Able to create** checkbox is crucial if you manage posixGroups. The LDAP connector requires the **uid** attribute during creation if **posixGroups** is also set. Otherwiseit throws an error: ''Cannot add entry "uid=john.doe,ou=people,o=domain,c=tld" to POSIX groups because it does not have a "uid" attribute''
- +On the other hand, the **Able to edit** checkbox must not be enabled if **uid** is part of the distinguishedName. Otherwisechanging **uid** will result in an error: ''javax.naming.directory.SchemaViolationException: [LDAP: error code 67 - Not Allowed On RDN]''.
-On the other hand, the checkbox **Able to edit** mustn'be set, if uid is the part of distinguishedName. Otherwise changing of uid throws an error "javax.naming.directory.SchemaViolationException: [LDAP: error code 67 - Not Allowed On RDN];"+
 </note> </note>
  
 ===== Mapping ===== ===== Mapping =====
 +Navigate to the **Mapping** menu. Here, you must define how data from LDAP will be promoted to CzechIdM.  
 +First, set:  
 +  * **Operation type:** Provisioning  
 +  * **Object name:** ''%%__ACCOUNT__%%''
 +  * **Entity type:** Identity  
 +   * Set the **Mapping name** to whatever you prefer, e.g., "Provisioning of users".  
 +Then map all columns as entity attributes as shown in the example below. Ensure that ''%%__NAME__%%'' is set as the identifier.
  
-Now go to menu **Mapping**. There you must set how data from LDAP will be promoted to CzechIdM. +//Example attribute mapping://  TODO
- +
-At first set: +
-  * **Operation type:** Provisioning +
-  * **Object name:** \_\_ACCOUNT\_\_ +
-  * **Entity type:** Identity +
-  * As **Mapping name** set whatever you want to, for example Provisioning of users. +
- +
-Then map all columns as entity attributes as you can see it on picture below. Just **\_\_NAME\_\_** set as identifier. +
- +
-//Example attribute mapping://+
  
 <note tip> <note tip>
-The distinguished name should be mapped in the attribute **\_\_NAME\_\_**. If the DN contains CN (common name - that is a typical setting), then don'map the attribute **cn** again. The CN is already filled by the DN and if you map it again, then a change of CN can be refused by LDAP with the message "LDAP: error code 67 - Not Allowed On RDN".+The distinguished name should be mapped in the ''%%__NAME__%%'' attribute. If the DN contains CN (common name - a typical setting), do not map the **cn** attribute again. The CN is already populated by the DNand mapping it again may cause LDAP to reject changes with the error: ''LDAP: error code 67 - Not Allowed On RDN''.
 </note> </note>
- 
  
 ===== Provisioning ===== ===== Provisioning =====
- +Finallygo to the **Provisioning** menu and add new provisioning. Set its **Name** and these fields:   
-Finally go to menu **Provisioning** and add new one set its **Name** and these fields: +  * **Allowed:** true   
- +  * **Set of mapped attributes:** Select the mapping from the previous step.   
-  * **Allowed:** true +  * **Correlation attribute:** ''%%__NAME__%%'' 
-  * **Set of mapped attributes:** Select mapping from previous step. +You can leave the rest of the configuration at default values.
-  * **Correlation attribute:** \_\_NAME\_\_ +
- +
-You can leave the rest of configuration at the default values.+
  
 //Example provisioning results:// TODO //Example provisioning results:// TODO
  
 ===== Create LDAP role in IdM ===== ===== Create LDAP role in IdM =====
-To provision an account to LDAP, one must create a role for the system with LDAP provisioning mapping. +To provision an account to LDAP, you must create a role for the system with LDAP provisioning mapping.   
-  * Create a role e.g. "LDAP - user" and save it +  * Create a rolee.g."LDAP - user"and save it.   
-  * Go to System tab on role detail and add a system LDAP created in this tutorial and save. +  * Go to the **System** tab on the role detail page and add the LDAP system created in this tutorial, then save.   
- +To provision a user to LDAP, assign them the role "LDAP - user". The provisioning will occur immediately upon role assignmentYou can check the provisioning status at the user profile detail under the **Provisioning** tab.
-To provision a user to LDAP, assign them role "LDAP - user". The provisioning will be provided as soon as the role is assigned to the userThe state of the provisioning you can check at the user profile detail at the tab "provisioning".+
  • by poulm