The daily directory batch doesn't work !
You need to specify the ldaprootnode parameter in your batch. For example, in the code of ActiveDirectoryExpirationReminderBatch.java, you find:
this.LDAPRootNote = options.get("ldaprootnode");
So instead of
%JAVA_HOME%\bin\java -classpath %CLASSPATH% %BATCH_UTIL% %JAVA_BATCH_2% "-webapppath=%DIRECTORY_APP_HOME%" "-xmldbconfigfile=%XML_DB_CONFIG_FILE%"
%JAVA_HOME%\bin\java -classpath %CLASSPATH% %BATCH_UTIL% %JAVA_BATCH_2% "-webapppath=%DIRECTORY_APP_HOME%" "-xmldbconfigfile=%XML_DB_CONFIG_FILE%" "-ldaprootnode=dc=mysubdomain,dc=mydomain,dc=com"
You would expect the batch to find this config item by itself, but it doesn't for no good reason.
What does each daily batch do ?
Here is a short description of each batch:
Reminds users to change their passwords the day before they expire. It only applies to users with the role "Account Password Reminder" and without the role "Account No Password Reminder". You can assign these roles by organizational unit. Reduces the number of calls to the help desk for users that never change their password. Also useful for accounts that never log on to windows, and don't know about the looming expiration.
Reminds managers of users that accounts they manage will expire in 7 days. It only applies to users with the role "Account Expiration Reminder". You can assign this role by organizational unit. Very useful when you hire contractors and the contract is about to come to an end. You want the manager to know that he is responsible for notifying the help desk if the contract has been extended.
Puts all users that have a "No password expiration" policy in a group designated with the "Group Password Doesn't Expire to Audit" role. If the user has the role "Group Password Doesn't Expire Already Audited", it won't be moved. Very useful for security audits.
When you run these batches as a test, make sure you disable the email batch. Emails will be queued in the email table instead.
How does Corendal Directory map fields in forms to fields in Active Directory ?
Configuration files in the directory/WEB-INF/configs/directorydevconfig/datasources/ldapsource/activedirectory/nodes and directory/WEB-INF/configs/directorydevconfig/datasources/ldapsource/globalcatalog/nodes directories designate each Active Directory field used. You can modify these files to modify the mappings.
How can I customize the list of employee types ?
Modify the directory/WEB-INF/configs/directorydevconfig/setups/employeetypes.xml file and restart the application.
How can I move accounts/contacts from one organizational unit to another organizational unit ?
To move one account from one OU to another, use the Administration tab. To add OUs to the drop down, add an account template for that OU.
To move several accounts at a time, use the IT wizard accessible from the references menu.
Where can I find the description of each system role ?
The roles.xml file contains a brief plain-english description of each role defined in the system.
Users get prompted for a username and login twice.
Your NTLM settings are probably incorrect. First, you need to know that Corendal Directory only works with NTLM v1. It doesn't support NTLM v2. All NTLM settings are in the jcifs.properties file. To disable NTLM all together, change the IP address settings in the applications.xml file.
Here are troubleshooting instructions I received from a fellow contributor:
- Check that the application URL (e.g., http://directory.company.com) is in the Local Intranet sites of Internet Explorer, or if using Firefox, in the network.automatic-ntlm-auth.trusted-uris key of the about:config page
- In Internet Explorer, click Internet Options in the Tools menu
- In the Security tab, click Local Intranet -> Sites -> Advanced and add http://directory.company.com. Click OK
- Close and re-open Internet Explorer
- In Firefox, type about:config in the Address Bar and press Enter. When prompted, click "I'll be careful, I promise!".
- In the filter, type ntlm and click Enter
- Double-click the network.automatic-ntlm-auth.trusted-uris key and enter http://directory.company.com. If this field is not empty, separate this site from other sites with a comma. Click OK
- Close and re-open Firefox
- If using Windows 7 or above, enable NTLM v1 in the local computer
- Go to the Start menu and type regedit, then right-click Regedit.exe and click Run as Administrator
- Navigate to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
- Right-click on the LSA key and select New -> DWORD (32-bit) value
- Change the name to LMCompatibilityLevel and press Enter
- Double-click on the LMCompatibilityLevel entry, and enter 0 under Value data. Click OK and close the Registry Editor
- Restart the computer
How does Corendal Directory decide in which Organizational Unit a new account will be ?
Corendal Directory uses account templates during the creation of new accounts. A new account will be in the same Organizational Unit as the template account it was based upon.
You can use any account as a template, or setup a list of template accounts by assigning the "Account Template" role. If you have several Organizational Units, create one template for each. Template accounts can be used whether those accounts are enabled or disabled.
I am trying to restrict access to Corendal Directory to an Organizational Unit. How do I do this ?
First, grant yourself the "Account Access Allowed" role using the "Admin > System Accounts & Groups" screen. You don't want to kick yourself out of the site just because you didn't enter the right settings.
Then use the "Admin -> System LDAP controls" screen and assign the role "Account Access Allowed" to the Organizational Unit of your choice. Enter the full path of the Organizational Unit, not just the name.
If you want to deny access to a particular Organizational Unit, use the "Account Access Denied" role.
You can setup the same role to several Organizational Units. You also have the option to grant or deny access by groups instead of Organizational Units, or even individually.
Everything works except creating accounts and resetting passwords.
The creation of accounts is performed internally in three steps. The account is created in disabled state, then the password is set, then the account is enabled. If the setting of password doesn't work, you will not be able to create accounts, all new accounts will be disabled without a password.
In many cases, the Active Directory server will refuse to set a password if the complexity of that password is too low. Ask your Active Directory administrator for the current complexity rules. Make sure you follow those rules while creating accounts or resetting passwords.
Secure LDAP is used between the web application server and the Active Directory server to perform password resets.
Can I add additional field just by configuring XML files ?
No. You'll have to modify the code. However, most of the code to show Active Directory accounts is in AbstractActiveDirectoryAccountEntryBlock.java. Most of the code to retrieve values from Active Directory accounts is in AbstractActiveDirectoryAccount.java and the associated ActiveDirectoryAccount interface. It's only three classes to modify.
Users can only be able to edit their "fax number" and "home phone number". Is there any provision to change other fields such as Department, Office and Company ?
There are several levels of editing privileges. If you grant a user the Administrator role, this user can edit all attributes. Use the Admin > Accounts and Groups Monitor screen to grant access rights. There are several other fine-grained roles defined, such as Limited Account Editor and General Account Editor. The file roles.xml defines all roles.
For office and room numbers, there is a role Active Directory Room Administrator already defined.
If you want to grant all users access to other fields without assigning roles already defined, you'll need to modify the code. The class to modify is AbstractActiveDirectoryAccountEntryBlock.java. Fields that can't be edited are disabled using the setPrintOnly method.
Does Corendal Directory work with Windows Server 2008 ?
I get java.security.AccessControlException: access denied (java.security.SecurityPermission insertProvider.SunJSSE) when I start the application server.
You need to add a permission line to your Apache Tomcat conf/catalina.policy file.
permission java.security.SecurityPermission "insertProvider.SunJSSE";
This problem has been reported with Ubuntu distributions only.
Corendal Directory doesn't detect when accounts are locked.
Verify the value you put in the applications.xml file:
framework.core.activedirectoryaccountlockout.duration indicates the number of minutes an account is locked after too many incorrect login attempts.
Also, make sure that your Active Directory domain controller and the application server hosting Corendal Directory are synchronized. The time on your domain controller and the time on your application server must be the same: your domain controller and your application server don't need to be in the same time zone, but their UTC+0 time must be identical.
The current time on the application server is displayed at the bottom of each page generated by Corendal Directory.
The Exchange and Communicator attributes that are populated when a user is created do not reflect the login and email address of the new account. What is wrong ?
Check the login and email address values that are embedded in the Exchange and Communicator attributes of your template account. These values must match the login and email address of that template account. They must be in lowercase or uppercase, do not use mixed case.
How can I change the rules used to assign a login and email address to new accounts ?
You'll need to customize the AbstractAccountPickManager class in the com.corendal.netapps.framework.core.managers. The two methods to customize are getLoginPick and getEmailAddressPick.
Does Corendal Directory offer auto
provisioning/de-provisioning of objects such as Identity Lifecycle Management
Corendal Directory does have features that belong to the identify life
1/ a "Personnel File Import" scren allows the reconciliation of
account and HR data, including the automatic discovery of new accounts.
2/ an "Account File import wizard" screen allow mass updates of many
account attributes, through three simple export to Excel/edit in Excel/
import back into AD steps.
3/ all updates are logged, with the type of update, date, IP address
and login of the person performing the update. These logs are
accessible from the Admin > Entry Logs menu.The person performing a
mass update through the "Personnel File Import" or "Account File
import wizard" screens also receives a log of each modification made
through that import, with "before" and "after" values specified.
4/ modifications that have a security impact (create an account,
disable an account, unlock an account, remove an account, change an
email address, modify group memberships, etc) can also be logged in
the form of emails sent to the recipient of your choice, such as an
archived mailing list for external auditing purposes.
Does Corendal Directory also manage Computers in Active Directory ?
No. This feature has been requested by a few people, but is not included yet. There is no immediate plan to add this feature at this time. You are welcome to communicate your requirements regarding the management of computers as I have little knowledge of the standard needs for that feature.