17. One Identity AD
25 марта 2020 г.
17:55
Identity Manager 8.1 - Administration Guide for Connecting to Active Directory (oneidentity.com)
6) Соединение с AD
PersonAutoFullSync – Search - поиск и сцеление существующих пользователей в БД One identity.
Если пользователя нет в БД, а в AD он есть - он не будет создаваться в БД.
Search and Create - существующие будут сцепляться с аккаунтами из AD, а если нет пользователя в БД, а есть в AD - он будет создан в БД.
Ставим SEARCH
PersonAutoDefault - тоже, но в сторону AD (УТОЧНИТЬ!!!). Ставим SEARCH
PersonUpdate - контроль данных между БД и AD.
Изменения в AD приводят к изменениям в person. Выкл
Создание пользователя в AD
https://support.oneidentity.com/technical-documents/identity-manager/8.0/configuration-guide/31
Скрипт в таблице ADSAccount (Designer - Table – Person - ADSAccount)
How to Create Employees From ADSAccounts (150319)
Return
Was this article helpful?
[Select Rating]
Title
How to Create Employees From ADSAccounts
Description
What are the steps required to provision Employee objects from ADSAccounts?
Resolution
***Please note: the following steps are specific to version 6.1.x. For version 7.x and above there is some overlap, but many of the specific process names, for example, have changed.
The creation of Employees based on ADSAccounts is implemented out-of-the-box.
To control the behavior there are the configuration parameters available:
Using TargetSystem\ADS\PersonAutoFullSync with the CREATE option, a sync will create the Employees based on existing AD accounts.
Using TargetSystem\ADS\PersonAutoDefault will work as well, with CREATE, when an ADSAccount is created.
One action is done by the FullSync (TargetSystem\ADS\PersonAutoFullSync), the other for all manual actions (TargetSystem\ADS\PersonAutoDefault).
In the end either the process "VI_ADS/EX2K_ADSAccount_Insert/Update (Fullsync)" will be generated (for inserts/updates of accounts by the sync) or the process "VI_ADS_ADSAccount_Update_UpdatePerson" (for manual inserts/updates).
Both processes contain a ScriptExec job which executes the script "VI_PersonUpdate_ADS" or "VI_PersonAuto_ADS".
The creation of an Employee for the given account is implemented in these scripts. So it would be possible use these scripts to create Employee objects: either call this script for single cases in the ObjectBrowser (ScriptTester) or in the Designer. Or create a custom defined process/script/... which calls one of the mentioned scripts.***
https://support.oneidentity.com/identity-manager/kb/150319/how-to-create-employees-from-adsaccounts
Создание Employee на основе ad account только для одного домена
1) Выполнить настройку TargetSystem\ADS\PersonAutoFullSync = SEARCH AND CREATE
2) На основе скрипта ADS_PersonAuto_Mapping_ADSAccount (процесс ADS_ADSDomain_SearchandCreate_Person_PostSync и процесс ) создать скрипт
В нем в строке 215, где
If String.IsNullOrEmpty(persUid) And InStr(1, VID_UCase(searchMode), "CREATE") > 0
Вставить
If String.IsNullOrEmpty(persUid) And InStr(1, VID_UCase(searchMode), "CREATE") > 0 And myAcc.CreateWalker(Session).GetValue("FK(UID_ADSDomain).DisplayName") = Connection.GetConfigParm("Custom\DomainAllowCreatePerson") Or String.IsNullOrEmpty(persUid) And InStr(1, VID_UCase(searchMode), "CREATE") > 0 And Connection.GetConfigParm("Custom\DomainAllowCreatePerson") = "1" Then
Перед этим создать параметр "Custom\DomainAllowCreatePerson"
Трабла с тем, что не загружается схема при создании коннектора к AD. Error accessing schema: Directory server.
Проверить, что открыты:
TCP
445 (smb)
88 (аутентификация для smb - kerb)
389 (LDAP)
636 (LDAPS)
UDP
389 (LDAP) - для обнаружения
Потому, что SyncEditor использует pipe
PIPE\wkssvc
PIPE\lsarpc
Отказоустойчивость коннектора к AD
You could convert the CP_ADServer variable into a scripted variable in the sync project (for a FullSync my comments from above apply. No synchronization optimization allowed then).
In the script, you could determine a DC of your domain and do some other checks as well (ping, login, whatsoever).
The sample script is just taking the first domain controller it gets from the collection: Further enhancements would be to check the DC classes, ping time, etc.
>
References System.DirectoryServices.dll
Imports System.DirectoryServices.ActiveDirectory
Dim RootDN as String = VariableSet.Item("CP_ADRootdn")
Dim DomainName As String = RootDN.Replace(",dc=",".").Replace("dc=","")
Dim DomainCon As New DirectoryContext(DirectoryContextType.Domain, DomainName)
Dim DCs As DomainControllerCollection = Domain.GetDomain(DomainCon).DomainControllers
Return DCs.Item(0).Name
'For Each DC As DirectoryServices.ActiveDirectory.DomainController In DCs
' Return DC.Name
'Next
Порты
Communications Port and Firewall Configuration
One Identity Manager is made up of several components that can be executed in different network segments. In addition, One Identity Manager requires access to various network services, which can also be installed in different network segments. You must open various ports depending on which components and services you want to install behind the firewall.
The following ports are required:
| Default port | Description |
|---|---|
| 1433 | Port for communicating with the One Identity Manager database. |
| 1880 | Port for the HTTP protocol of One Identity Manager Service. |
| 2880 | Port for access tests with the Synchronization Editor, such as in the target system browser or for simulating synchronization. |
| 80 | Port for accessing web applications. |
| 88 | Kerberos authentication system. (if Kerberos authentication is implemented). Required for authentication against Active Directory. |
| 135 | Microsoft End Point Mapper (EPMAP) (also, DCE/RPC Locator Service). |
| 137 | NetBIOS Name Service. |
| 139 | NetBIOS Session Service. |
| 389 | Lightweight Directory Access Protocol (LDAP Standard). Target system server communications port. |
| 445 | Microsoft-DS Active Directory, Windows shares. Required for synchronization (TCP/UDP) |
| 53 | Domain Name System (DNS), mainly through UDP. Required for access to the Active Directory total structure. |
| 636 | Lightweight Directory Access Protocol using TLS/SSL (LDAP S). Required for access to the Active Directory total structure. |
| 3268 | Global catalog. Required for searching in the global catalog. Either port 3268 or 3269 should be open depending on the connection settings. |
| 3269 | Global catalog over SSL. Required for searching in the global catalog. Either port 3268 or 3269 should be open depending on the connection settings. |
Table 3: Communications port
Even for authentication to AD port 445 is needed according to Microsoft.
Authentication to AD
AD uses the following ports to support user and computer authentication, according to the Active Directory and Active Directory Domain Services Port Requirements article:
-
SMB over IP (Microsoft-DS): port 445 TCP, UDP
-
Kerberos: port 88 TCP, UDP
-
LDAP: port 389 UDP
-
DNS: port 53 TCP, UDP
-
RPC: Dynamically-assigned ports TCP, unless restricted