I've managed to successfully integrate my CIAC lab installation with my AD server (also lab environment) but there's still one item I still don't understand:
I'm able to log in to the portal with any of the users previously registered at the AD server but ONLY under the following contidions:
- The user is part of a department;
- That department has the same name of one of theOrganization Units already created at the portal.
- In my portal, I have a Organization Unit called 'Sales'.
- In the AD server, I have a user called 'ciac' which must have 'Sales' set as his 'department'. The 'department' field is mapped to the Home Organization Unit in the portal. That works fine.
- So, I can log in to the portal with that 'ciac' user. It's home OU will be 'Sales'.
- I can't log in to the portal if that 'department' at the AD server is different from any of the Organization Units already registered at the portal.
But what if I'm performing a totally fresh install at a customer where a large AD server is operational, full of users and 'departments' that shall be imported into an empty CIAC (by empty, I mean no regular users or OU's) ? Is there any 'import' feature?
Right, the behavior you're describing is by design in IAC. A prerequisite to onboarding a new user is having a IAC Organization present and corresponding to the user's AD department. Have a look at Chapter 1 "Directory Integration and API" of the Cisco Service Portal 9.4 Integration Guide for a description of how to perform this type of directory import.
So, the configuration document states - and you guys correctly confirm - that nsapiuser shall be added to the Cloud Provider Technical Administrator security group, which is created for the sake of system roles, from what I can understand.
Consider that nspiuser has been added to that security group.
But when mapping portal and AD values, we create the following relationship:
- Home Organizational Unit maps to #department AD key
- Role List maps to #memberOf AD key
Role List is correctly mapped and filled, but Home Organizational Unit isn't. A can't log in if that field is empty.
So, at the AD side, do I have to manually add the name of my CPTA org to the "department" field of that user?
Thanks to all your support.
Thanks to all the answers so far. I managed to turn this feature on and let users log in. A question remains:
There's a topic in the manual (configuration guide) that tells me to add the Site Administrator role to nsapiuser . Once I'm managing users through AD, shouldn't I add that role the "AD way" ? If that's correct, shouldn't I create a security group called Site Administrator, in addition to the other 6 already mentioned in the documentation?
Yes, you should.
You might need to end up doing something like I've just done:
Expression value for Home OU:
expr:#department#--#sAMAccountName#=(^.*--REXUSER|^.*--NSAPIUSER|^(.+)--.+)?(Site Administration|Cloud Provider Technical Administrator|#department#):Unknown
The value to check: #department#--#sAMAccountName#
This combines the two User attributes needed to make the decision:
1) the attribute containing the Organization Unit, "extensionAttibute10"
2) the login ID
The following tests are then made against the value to check
IF ^.*--REXUSER //If this is the REX User, extAttr10 can be blank or present.
THEN Site Administration
ELSE IF ^.*--NSAPIUSER //If this is the NSAPI User, extAttr10 can be blank or present.
THEN Cloud Provider Technical Administrator
ELSE IF ^(.+)--.+ //If this is any non-empty extAttr10, any non-empty login
ELSE //If there is no extAttr10
Another one on the AD integration:
Any regex for the Role List field in the mapping configuration? When using the regex described in the configuration document and a user is part of other groups, all the groups are returned in a row where items are separated by "::" and the result is that no roles are applied to the user.
Any hints on how to obtain only the groups that represent the roles in the portal? Or at least a hint on how to make those values be returned in a form that represents roles in the portal?
Thanks and sorry for so many questions. I'm trying to fulfill a requirement from a real customer.