AuthMan, Sync Groups to Active Directory

How to mark AuthMan groups for syncing to Active Directory

As a groups registry, AuthMan's powerful Grouper software can provision groups externally, but it does not sync any groups by default.

AuthMan provides a basic provisioning mechanism to push your AuthMan access policy groups as regular LDAP groups in the UOFI Active Directory. This is the preferred method for group authorization enforcement, particularly for services that are configured to use Shibboleth authentication or direct LDAP authentication.

Configure Groups to Sync

  • Anyone that is a delegated "org" or "app" folder admin has the ability to mark groups for sync. 
  • It is recommended to set the sync attributes on the folder once, so that any groups created within that folder are automatically synced.
  • Steps to configure:
    1. Navigate to the folder that you want to assign to sync.
    2. Click on the More Actions button in the upper right to expand the menu.
    3. Select Attribute Assignments
    4. Click the orange +Assign Attribute button
    5. In the attribute name box, type etc:pspng:provision_to (it should auto-complete as you begin to type.)
    6. Click the Save button to set the attribute field to the folder.
    7. In the list of assigned attributes, click the Actions button to the right of the "provision_to" attribute.
    8. Select Add Value
    9. Enter the string exactly as uofi_urbana which corresponds to the provisioner to the AuthMan OU. 

Group Syncing Considerations

  • By default, all AuthMan groups configured for sync are synced beneath OU=AuthMan,OU=Urbana. All folder admins are given read-only access to the AuthMan OU. Normal domain users cannot see the AuthMan OU.

  • Syncing from AuthMan to AD will be “flat”. That means that synced group in AD will consist of only the direct and indirect members of the group. If you are syncing a nested group, you will NOT see the nested group IDs in the synced AD group.

  • Your AuthMan’s group ID (not the group name) will be synced to AD as the cn and the samAccountName.  By default, the AuthMan group name and ID are the same but you have the ability to edit the AuthMan group ID.  If you do so and your group name and group ID are different, please make sure that you’re looking for the group ID and not the group name in AD.

  • GID numbers are automatically assigned to all groups in AuthMan with a value between 10000 and 99999, and are set in AD in the gidNumber attribute.

  • Once your group is synced to AD, you may use it to access resources in AD, like any other AD group.

  • Syncing will be faster if you create your group and add members before you sync it to AD.

  • If you delete your group in AuthMan, that group will be deleted entirely in AD.

  • If you rename your group in AuthMan (and change the group ID), that group will be deleted and recreated in AD.  That is, the group object GUID in AD will change.

  • Allow at least 15 minutes for changes that you make in AuthMan to be reflected in AD.

  • A full sync of the entire set of groups happens every 6 hours at 00:00, 06:00, 12:00 and 18:00.

Important Note About Privacy!

  • Any group you sync to AD will be visible to anyone with read-only privileges on the AuthMan OU (other folder admins). If you have a special requirement for securing group membership, contact AuthMan services managers at auth-man@illinois.edu.



Keywords:authorization manager authman grouper active directory ad sync groups psp pspng provision authz ldap   Doc ID:93601
Owner:Erik C.Group:University of Illinois Technology Services
Created:2019-08-05 21:42 CSTUpdated:2019-08-07 09:13 CST
Sites:University of Illinois Technology Services
Feedback:  0   0