You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: includes/active-directory-app-provisioning-ldap.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -60,17 +60,17 @@ Before deploying the connector to an existing directory server, you'll need to d
60
60
| account for the connector to identify itself to the directory server |Configuration wizard **Connectivity** page |`CN=svcAccount,CN=ServiceAccounts,CN=App,DC=contoso,DC=lab`|
61
61
| password for the connector to authenticate itself to the directory server |Configuration wizard **Connectivity** page ||
62
62
| structural object class for a user in the directory server | Configuration wizard **Object Types** page |`User`|
63
-
| auxiliary object classes for a user in the directory server | Azure portal **Provisioning** page attribute mappings | No additional auxiliary classes required|
63
+
| auxiliary object classes for a user in the directory server | Azure portal **Provisioning** page attribute mappings | No auxiliary classes are used in this example|
64
64
| attributes to populate on a new user | Configuration wizard **Select Attributes** page and Azure portal **Provisioning** page attribute mappings |`msDS-UserAccountDisabled`, `userPrincipalName`, `displayName`|
65
65
| naming hierarchy required by the directory server | Azure portal **Provisioning** page attribute mappings | Set the DN of a newly created user to be immediately below `CN=CloudUsers,CN=App,DC=Contoso,DC=lab`|
66
66
| attributes for correlating users across Azure AD and the directory server | Azure portal **Provisioning** page attribute mappings | not configured as this example is for an initially empty directory |
67
67
| deprovisioning behavior when a user goes out of scope in Azure AD |Configuration wizard **Deprovisioning** page | Delete the user from the directory server |
68
68
69
69
The network address of a directory server is a hostname and a TCP port number, typically port 389 or 636. Except where the directory server is co-located with the connector on the same system, or you're using network level security, the network connections from the connector to a directory server need to be protected using SSL or TLS. The connector supports connecting to a directory server on port 389, and using Start TLS to enable TLS within the session. The connector also supports connecting to a directory server on port 636 for LDAPS - LDAP over TLS.
70
70
71
-
You'll need to have an identified account for the connector to authenticate to the directory server already configured in the directory server. This account is typically identified with a distinguished name and has an associated password or client certificate. To perform import and export operations on the objects in the connected directory, the connector account must have sufficient permissions within the directory's access control model. The connector needs write permissions to be able to export, and read permissions to be able to import. Permission configuration is performed within the management experiences of the target directory itself.
71
+
You'll need to have an identified account for the connector to authenticate to the directory server already configured in the directory server. This account is typically identified with a distinguished name and has an associated password or client certificate. To perform import and export operations on the objects in the connected directory, the connector account must have sufficient permissions within the directory's access control model. The connector needs to have **write** permissions to be able to export, and **read** permissions to be able to import. Permission configuration is performed within the management experiences of the target directory itself.
72
72
73
-
A directory schema specifies the object classes and attributes that represent a real-world entity in the directory. The connector supports a user being represented with a structural object class, such as `inetOrgPerson`, and optionally additional auxiliary object classes. In order for the connector to be able to provision users into the directory server, you will need to configure mappings from Azure AD to all of the mandatory attributesof the structural object classand the mandatory attributes of any auxiliary object classes. In addition, you will likely also configure mappings to some of the optional attributes of these.
73
+
A directory schema specifies the object classes and attributes that represent a real-world entity in the directory. The connector supports a user being represented with a structural object class, such as `inetOrgPerson`, and optionally additional auxiliary object classes. In order for the connector to be able to provision users into the directory server, during configuration in the Azure portal you will define mappings from the Azure AD schema to all of the mandatory attributes. This includes the mandatory attributes of the structural object class, any superclasses of that structural object class, and the mandatory attributes of any auxiliary object classes. In addition, you will likely also configure mappings to some of the optional attributes of these classes.
74
74
75
75
The directory hierarchy rules implemented by a directory server describe how the objects for each user relate to each other and to existing objects in the directory. In most deployments, the organization chose to have a flat hierarchy in their directory server, in which each object for a user is located immediately below a common base object. For example, if the base distinguished name for the naming context in a directory server is `dc=contoso,dc=com` then a new user would have a distinguished name like `cn=alice,dc=contoso,dc=com`. However, some organizations may have a more complex directory hierarchy, in which case you'll need to implement the rules when specifying the distinguished name mapping for the connector. For example, a directory server may expect users to be in organizational units by department, so a new user would have a distinguished name like `cn=alice,ou=London,dc=contoso,dc=com`. Note that since the connector does not create intermediate objects for organizational units, any intermediate objects the directory server rule hierarchy expects must already exist in the directory server.
76
76
@@ -154,7 +154,7 @@ If you do not already have a directory server, and wish to try out this feature,
154
154
13. On the **Full Import** page, leave the defaults and click **Next**.
155
155
14. On the **Object Types** page, fill in the boxes and select **Next**.
156
156
-**Target object**: This object is the target object in the LDAP directory.
157
-
-**Anchor**: This values of attribute should be unique for each object in the target directory. The Azure AD provisioning service will query the ECMA connector host by using this attribute after the initial cycle. You must be using agent version 1.1.846.0 or above for ObjectGUID to work as the anchor.
157
+
-**Anchor**: The values of this attribute should be unique for each object in the target directory. The Azure AD provisioning service will query the ECMA connector host by using this attribute after the initial cycle. You must be using agent version 1.1.846.0 or above for ObjectGUID to work as the anchor.
158
158
-**Query Attribute**: This attribute should be the same as the Anchor.
159
159
-**DN**: The distinguishedName of the target object.
0 commit comments