June 5, 2018 at 11:42 am #22208
Hi. I have setup an LDAP Connector to create Users in my Acitve Diretory. Everything works fine but when I create Users they are always deactivated at first. How can I fix that?June 5, 2018 at 11:53 am #22209
Can you share the Json payload you use when creating a user?June 5, 2018 at 12:14 pm #22211
Honestly I am really new to all this and don’t know what you mean by that. I’m sorry!June 5, 2018 at 12:17 pm #22212
How do you create the user in AD?June 5, 2018 at 12:20 pm #22213
I’m using the Admin UI. I used this https://forum.forgerock.com/2016/12/beginners-guide-openidm-part-6-provisioning-active-directory as a tutorial.June 5, 2018 at 12:25 pm #22214
To create an active user in AD, you need to provide a password and make sure the ‘enabled’ flag is set to true
If you use an http client like curl, a typical json payload would look like:
“dn”: “CN=Test CreatefromOpenIDM,OU=create,DC=example,DC=com”,
“__PASSWORD__” : “Passw0rd”,
“displayName”: “Test CreatefromOpenIDM”,
“userPrincipalName”: “[email protected]”
}June 5, 2018 at 12:38 pm #22215Bill NelsonParticipant
What Gael is showing you are the command line details using a client like curl. I suspect that you may be using the Admin Console to attempt to provision this user, however, is that correct? If so, then
1) make sure that all of the attributes that Gael has shown above (__PASSWORD__, sn, givenName, displayName, sAMAccountName, __ENABLE__, and userPrincipalName) are all detailed in your provisioner (aka “connector”).
(You can see this in the openidm/conf/provisioner-openicf-userdirectory.json file on the filesystem, or you can attempt to navigate the UI to the connector section, edit the userdirectory connector details, and then look at the attribute properties configured. I find it easier to look directly at the config file.)
2) make sure that all of these attributes all appear in your mapping between OpenIDM and AD
(You can see this in the openidm/conf/sync.json file in the managedUser_systemUserDirectory mapping [or something like that]. You can also look for this mapping in the mappings section in the Admin UI, but again, I prefer the command line.)
As Gael mentions, you need to set the __ENABLE__ flag to true for the user to be enabled.
(Note: __ENABLE__ is a variable reference which, under the covers, simply points to the userAcctControl in AD)
While Wayne’s tutorial is nice, it leaves out a few details as it does not show all the attributes or attribute values that are needed to complete the provisioning to AD.
billJune 5, 2018 at 1:53 pm #22219
Ok, so I have to create the two properties __ENABLE__ and __PASSWORD__ in the Account Object Types of my Connector. After that how do I add them to my mapping? Like what do I use as Source and Target. Sorry that I seem kinda lost but it’s just alot of new stuff that I need to learn.
You must be logged in to reply to this topic.