Looking around the domain
RootDSE and Schema
Show account attributes
Turn on advanced features in "Users and Computers":
Active Directory Users and Computers -> View -> Advanced Features (check)
Edit user properties. There will be "Attribute Editor" tab that shows the LDAP-like view of the user.
Grant access rights to idmadmin user
Active Directory Users and Computers -> expand the domain -> right click on "Users" -> Delegate Control
Users and groups (principal): idmadmin
Delegate the following common tasks:
- Create, delete and manage user accounts
- Reset user passwords and force password change at next logon
- Read all user information
- Create, delete and manage groups
- Modify the membership of a group
- Create, delete and manage inetOrgPerson accounts (TODO: is this needed?)
- Reset inetOrgPerson accounts and force password change at next logon (TODO: is this needed?)
- Read all inetOrgPerson information
Password policy is defined in group policy. Open "Group Policy Management" tool. navigate to Forest -> Domains -> <domain> -> Group Policy Objects -> Default Domain Policy. Choose "Settings" tab. See Computer configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies/Password Policy
Getting LDAP Schema
Search the following DN:
For example, use the ldapsearch comman-line tool:
Either install Active Directory Certificate Services (AD CS) using Server Manager ("Add role") or install server certificate manually: https://www.petri.com/enable-secure-ldap-windows-server-2008-2012-dc
If you install AD CS but, for some reason, the server certificate for DC was not created, you can create it manually.
(I was roughly following https://blogs.technet.microsoft.com/russellt/2016/06/03/custom-ldap-certs/ - "Domain Controller - Initial Enrollment" chapter.)
- Open "certlm.msc" or "mmc.exe" with "Certificates" snap-in for Window s2008 R2 DC. The following is based on "mmc.exe" for Windows 2008 R2.
- Right-Click the “Personal” store and select “All Tasks - Request New Certificate”. Click “Next” twice until the screen with available templates appears.
- Select the check box next to "Domain Controller", expand the "Details" and click "Properties"
- Click "Subject" tab and select "Alternative name" to be of type "DNS". Enter your server DNS to "Value" input box.
- Click "OK".
- Click the "Enroll" button.
To export the AD CA certificate:
- find "Manage computer certificates" window
- in Personal - Certificates
- in Server Manager select: Roles - AD Certificate Services - Enterprise PKI - (your authority certifikate)
- in the right window pane click Properties on your CA Certificate, then click Details and Copy to file...
- select "DER encoded binary X.509 (.CER)" format and save the file.
To import the AD CA certificate to midPoint keystore:
- stop midPoint
- backup $midpoint.home/keystore.jceks
- copy the CA certificate file (e.g. "cacert.cer") to midPoint server
- run the following command: "keytool -import -alias ad-ca -keystore $midpoint.home/keystore.jceks -storetype jceks -file cacert.cer"
- start midPoint
If not working, please check if you already set up Djavax.net.ssl.trustStore to midPoint keystore.