Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
tutorial:adm:manage_ldap [2019/01/17 12:16] apeterova uid attribute |
tutorial:adm:manage_ldap [2020/08/24 17:32] (current) apeterova generate scheme - multivalued attributes |
||
|---|---|---|---|
| Line 13: | Line 13: | ||
| Thereafter fill important fields. | Thereafter fill important fields. | ||
| - | **Example configuration for our local LDAP: | + | **Example configuration for our local LDAP: |
| <note important> | <note important> | ||
| Switch on **Use VLV Controls** and set **VLV Sort Attribute** to the same value as **Uid Attribute**. Otherwise, searching of accounts doesn' | Switch on **Use VLV Controls** and set **VLV Sort Attribute** to the same value as **Uid Attribute**. Otherwise, searching of accounts doesn' | ||
| </ | </ | ||
| + | |||
| + | ==== Base Contexts ==== | ||
| + | |||
| + | The property **Base Contexts** contains one or more starting points in the LDAP tree that will be used when searching the tree. | ||
| + | |||
| + | When you run synchronization in the reconciliation mode, the connector starts the search for every value in the Base Context separately. The search uses paging, which means that the entries are processed in blocks consisting of (by default) 100 records according to the configured (VLV) sort. Be careful, when you have multiple values in the Base Contexts and you **modify distinguished name** of the entries **during the reconciliation**. If entries are moved to a different base, then other entries may be omitted due to the paging and they fall to the **Missing account** state. So try to avoid this use case at all. | ||
| ===== Scheme ===== | ===== Scheme ===== | ||
| Line 23: | Line 29: | ||
| You can let CzechIdM generate scheme for you by click on **Generate scheme** button. | You can let CzechIdM generate scheme for you by click on **Generate scheme** button. | ||
| + | |||
| + | < | ||
| + | Generating of a scheme usually marks most attributes as **multivalued** (even for e.g. givenName, sn, cn). This may be OK, but it may also complicate things if you want to fill these attributes from EAVs and transform them - [[https:// | ||
| + | So make sure to check what was generated. | ||
| + | </ | ||
| + | |||
| But if you want to set everything by yourself: | But if you want to set everything by yourself: | ||
| Line 29: | Line 41: | ||
| * Set all attributes as **Able to read** | * Set all attributes as **Able to read** | ||
| - | //Example scheme:// | + | //Example scheme:// |
| Line 43: | Line 55: | ||
| At first set: | At first set: | ||
| - | * **Operation type: | + | * **Operation type: |
| * **Object name:** \_\_ACCOUNT\_\_ | * **Object name:** \_\_ACCOUNT\_\_ | ||
| * **Entity type:** Identity | * **Entity type:** Identity | ||
| - | * As **Mapping name** set whatever you want to, for example | + | * As **Mapping name** set whatever you want to, for example |
| Then map all columns as entity attributes as you can see it on picture below. Just **\_\_NAME\_\_** set as identifier. | Then map all columns as entity attributes as you can see it on picture below. Just **\_\_NAME\_\_** set as identifier. | ||
| Line 67: | Line 79: | ||
| You can leave the rest of configuration at the default values. | You can leave the rest of configuration at the default values. | ||
| - | //Example provisioning results:// | + | //Example provisioning results:// |
| - | + | ||
| + | ===== Create LDAP role in IdM ===== | ||
| + | To provision an account to LDAP, one must create a role for the system with LDAP provisioning mapping. | ||
| + | * Create a role e.g. "LDAP - user" and save it | ||
| + | * Go to System tab on role detail and add a system LDAP created in this tutorial and save. | ||
| + | To provision a user to LDAP, assign them a role "LDAP - user". The provisioning will be provided as soon as the role is assigned to the user. The state of the provisioning you can check at the user profile detail at the tab " | ||