Systems - AD: Manage Organizational structure
Introduction
This manual describes how to manage OUs in AD based on Organizational structure in CzechIdM. Following guide creates system to create/delete/modify OUs in AD based on changes on Organizational structure in CzechIdM.
This guide expects that you have already connected AD for managing Users and by that general issues with connection and certificates are properly handled - reference tutorial for conencting AD for users with Wizard for more information.
Basic settings
- In Systems, click Add button button
- Click MS AD Users ( you will not use full wizard, but initial steps are the same)
- Fill all values into Connection to AD, Certificate and Permission steps as you did for connecting users
- Close the wizard
- Open details of newly created system
- in Configuration change connector to net.tirasa.connid.bundles.ldap.LDAPConnector (connid)
- in Scheme click Generate the Scheme
By this you have established basic settings.
Mapping - provisioning - base
- in Mapping, Add new mapping
- Set following
- Operation type - Provisioning
- Mapping name - Mapping
- Object name - ACCOUNT
- Entity type - Tree (this will add one extra option below)
- Tree type - select the only existing organizational structure (or select proper one, if you have more on your specific project)
By this you have established basic mapping which will need to be filled with attributes.
Mapping - provisioning - attributes
Attributes might differ based on project, following are only example and need to be verified by checking what are key parameters on your project.
- NAME - this parameter is *identifier*, and it is most probably DN. It will need proper script developed and applied in Transformation to system to calculate DN of OU based on its position in organization tree.
- ou - in example this attribute equates code of entity in organizational structure. If that is your case as well, then it will have Entitity attr. set to yes and Entity field set to Code (String).
By this you have established main attributes. This will apply for all entities in organizational structure in CzechIdM - in most cases you need to restrict it based on following step.
Mapping - provisioning - restriction
You will most probably need to restrict, what entities from organizational structure should be created in AD: To do so, in details of mapping you go to list Account management.
Following simple script blocks creating for two specific nodes “Contractors” and “Employees” and allow it for any other. You need to modify it for your usecase.
if (entity.getCode().equals("Contractors")) { return Boolean.FALSE } if (entity.getCode().equals("Employees")) { return Boolean.FALSE } return Boolean.TRUE
By this you have established mapping for provisioning.
Issues with update of OU
You might get to the usecase that creation and deletion of OU will work, but modification will fail. Most common reason is that some of the attributes need to be filled during creation, but they are automatically updated on AD side during update and CzechIdM attempt to update it as well - which cause collision of this two processes and ends in the error.
In such case, go to Scheme - Account and find the attributes you use in mapping. For that attribute, unselect Able to edit. Attribute ou mapped above is example of the attribute which might be autoupdated based on change of DN.