Connect your target Active Directory

Table of Contents

Integrate your target Active Directory with midPoint to establish the groundwork for centralized identity governance and administration across the HRIS and AD platforms.

What awaits you in this module

As you have created the midPoint resource for the HR information system, you will create a second resource for your target Active Directory system. After you establish connection to the AD server, you will set up an object type for the accounts and groups in AD.

Since we follow here the original MID-301 training course footsteps, you will create the Active Directory resource from a preconfigured template. This guide uses an LDAP server to simulate Active Directory server.

If you are configuring everything on your own, you need configure the resource so that midPoint can connect to the target application. This is out of the scope of this guide. If you are unsure how to fill in the connection details in midPoint, ask your system administrators for help. The LDAP resource examples and the documentation of the connector for AD servers based on the LDAP protocol may also help.

1. Create a new resource for the target application

Create a new resource and copy the configuration from the template that is preconfigured in the training Docker image. This simplified deployment is used in this guide mainly to save your time and spare you learning system management details that are potentially out of your real-life duties scope.

Follow this guide: Create a New Resource in Resource Wizard

  1. Create a new resource and use the Copy From Template option.

  2. In the Resource catalog screen, select the Training Active Directory Resource Template template (it uses the LDAP connector).

  3. Name the resource, e.g., AD.

  4. Keep the lifecycle state set to Proposed until you finish the whole configuration of the resource.

  5. Configure connection to the AD (LDAP) server.
    These are the connection details for the MID-301 training Docker images:

    • Host: ad

    • Port: 389

    • Bind DN: cn=idm,ou=Administrators,dc=example,dc=com

    • Bind password: secret

  6. Keep the rest of the settings as preconfigured in the template.

Optionally, after you create the resource, click Preview Resource Data and select the inetOrgPerson to view the accounts in the AD application.

2. Configure the AD resource object type

Similarly to the HRIS, AD also needs a resource object type for the accounts stored in it. In addition to the accounts, AD contains groups. You need to define a resource object for groups as well.

Both object types are preconfigured in the MID-301 training template, meaning you can skip this section if you use the template.

If you need to define the object types on your own:

  • The account object type should be of the Account kind, inetOrgPerson class, and User type.

  • The group type should be of the Entitlement kind, custom-defined intent, groupOfNames class, and undefined type.

  • Neither should use an archetype.

Use this guide for instructions on object type configuration.

AD resource object types for users and groups
Figure 1. AD resource object types for users and groups.

Next steps

With the target application connected, you are ready to proceed with preparations to reconcile the AD and HRIS accounts.

link

Was this page helpful?
YES NO
Thanks for your feedback