Dashboard > Velo 1.0 > ... > Documentation > Active Directory Tutorial
Velo 1.0
Active Directory Tutorial
Added by Asaf Shakarchi, last edited by Asaf Shakarchi on Sep 03, 2008  (view change)
Labels: 
(None)


This tutorial describes how to use Velo integrated with Microsoft Active Directory as a Source of Users and as a resource which Velo performs provisioning and de-provisioning against,

Pre-Requirements

  • An Active Directory domain
    Domain name in tutorial

    This tutorial is based on domain name: "mydomain.com" (dc=mydomain,dc=com)

    You have to replace the domain name and DNs to the appropriate values of the targeted active directory domain.

  • Windows server 2000/2003 that is a member of the targeted domain for the Windows Gateway Component (detailed below)

Velo Server Installation

Please follow Installation & Configuration Guide for the server installation instructions,

Before proceeding this tutorial, make sure you can login to the administrative interface with admin/admin credentials.

Installing the Windows Gateway component

Velo Windows Gateway component is required in order to connect Velo with Active-Directory
Please follow Installing Windows GW component for the gateway installation instructions.

Define a Reconcile Users Policy

Resource Reconciliation Policy defines what actions Velo should take when accounts and access groups in a resource are found, deleted or changed,
This tutorial objective is to show you how Active Directory can be the source of Identities (Users) in Velo,
Thus, we would like to create a resource reconcile policy that will create a new Velo user based on each account that is available Active Directory under the default "Users" CN.

Here are the steps how to define a new reconcile users policy

  • In the main menu, go to Reconciliation->Resource Reconciliation->Reconcile Policies
  • Press on the "Create Reconcile Resource System Policy' button
  • Fill in the details as follows
    • Define a name to the policy, it can be any string.
    • Check all the "Reconcile Operations"
    • Under the "Unmatched Account Event Action" event choose "Create new user based on resource account" that means any account that is found in the reconcile process that has no Velo User matched will trigger a new User creation in Velo, that is of course a policy that should be used only for the resources that are the user source in the organization (Usually it is Active Directory or some other organization directory)
    • Press the 'Save' button.

Here is a screenshot that may help you out:

Define Active-Directory as a resource

Any external resource that should communicate with Velo for any purpose must be defined as a Resource.

Define the gateway first!

This tutorial assumes that you have already installed and defined a Windows Gateway entry within Velo, if you haven't, please go to the top of this tutorial and follow the Gateway installation link above.

Here are the steps how to define Active-Directory as a resource.

  • In the main menu, go to: Resources->Resources
  • Press on the "Create Resource" button
    • Specify a Unique Name, Display Name and *Description
    • Choose NATIVE_ACTIVE_DIRECTORY as the Type
    • Check the Active option
    • Reconcile Policy: Choose the Reconcile Policy that was defined in the previous step.
    • Gateway: Choose the defined Gateway related to the Active Directory created in a previous step of this tutorial.
    • Press the Save button below
    • Configure the extra specific attributes for the domain

Execute Resource Reconcile

Velo repository holds a current state of each resource's accounts, access groups and group membership that allows Velo to determine the availability of the accounts, associate accounts to their Identity, etc.

The resource reconciliation process synchronize the state between Velo repository and the current real accounts state in the resource,

According to the defined Resource Reconcile Policy above, each new account on our AD resource will perform User and Account creation in Velo repository,
the process will also link between the User & Account entities,

This is usually the expected result where AD plays as the main source of identities in the organization.

Executing resource reconciliation is pretty easy:

  • In the main menu, go to Resources->Resources
  • In the resource table, selected the AD resource created above by pressing the select action in the Actions column.
  • Press on the Reconcile Resource Now button

Almost any operation that is performed against a resource is done asynchronously via [VELO:Tasks],
Each task contains the details about the operation, status, execution time and some more parameters,

The administrator can monitor each of the created tasks by navigating to the task list page.
Tasks are being executed by the [VELO:Tasks Scanner] each few seconds,

After pressing the Reconcile Resource Now button, Velo should have created two tasks,
You can verify that the two tasks were created:

  • In the main menu, navigate to Tasks->Tasks
  • Find the last two created tasks from the reconciliation execution

In the screenshot above, task number 5 is responsible for fetching the account list, groups and membership from the AD resource, the data is kept in an XML file under VELO_HOME\resources\ADTEST\sync

Task number 6 is responsible for reading the XML file and re-act to each event according to the Resource Reconcile Policy attached to the Resource.

Wait few seconds, the status of the tasks should change from PENDING to SUCCESS

At the end of the execution of both tasks, according to the defined policy above, AD accounts should be synced to Velo repository as Users and Accounts, with exact names as stored in AD.

Why the tasks are kept as 'PENDING' status and are not executed?

As mentioned, Velo tasks are executed by the [VELO:Tasks Scanner], starting the tasks scanner is simple:

  • In the main menu, navigate to Misc->Scanner List
  • Locate the Task Scanner and press on the "Active Scanner" button.

You can validate that the users and accounts were created by the instructions below:

  • In the main menu, navigate to: Identities->Accounts
  • In the "Resource" search parameter select the AD resource created above and press the "Search" button.
  • A table should display all synced accounts from the last resource reconcile process.

Disabling & Enabling a certain AD account

You can easily test some operations against AD accounts,
Enabling and Disabling accounts should be straight forward:

  • In the main menu, navigate to: Identities->Accounts
  • In the "Resource" search parameter select the AD resource created above and press the "Search" button.
  • Select one (or more) of the displayed accounts and press the "Disable Selected Account(s)" button.

This action will generate a task per disable account, as mentioned before, you can track the tasks by the Task List page,

Wait few seconds and check out Active Directory, make sure that the selected account(s) where disabled,

You can perform now the opposite action and enable the disabled accounts by pressing the "Enable selected account(s)" button.

Browse Users

AD users should be available in Velo repository After performing the reconciliation against the AD resource above,
You can browse the users by:

  • In the main menu, navigate to: Identities->Users
  • Browse the users table

Here's a screenshot:

Synchronize Identity Attributes

TO-DO

Create a simple [Role]

Add the Role to a certain User

TO-DO

Troubleshooting

If you are encountering an error, please refer to: Velo Troubleshooting first,
If you can't find an answer, check out this page Getting Support
Site running on a free Atlassian Confluence Open Source Project License granted to Safehaus. Evaluate Confluence today.
Powered by Atlassian Confluence, the Enterprise Wiki. (Version: 2.5.4 Build:#809 Jun 12, 2007) - Bug/feature request - Contact Administrators