Using IIJ Flex Mobility Service/ZTNA
This section describes examples of how to use IIJ Flex Mobility Service/ZTNA.
With IIJ Flex Mobility Service/ZTNA, you can automatically move user groups of VPN-connected users according to the group to which the IIJ ID User belongs.
Moreover, using Directory Sync enables you to manage the movement of user groups with the user and group information of Active Directory.
As an example, when you move user groups of IIJ Flex Mobility Service/ZTNA using the "FXZ Users" group, perform the following operation.
- Configure the settings to move user groups of the "FXZ Users" group with IIJ Flex Mobility Service/ZTNA.
- Reference: https://manual.iij.jp/fxz/mobility-usersguide/42092244.html (Japanese Only)
- Make users belong to the "FXZ Users" group on Active Directory.
- Include the "FXZ Users" group in the synchronization target on Directory Sync to synchronize it with the IIJ ID.
[ Reference ]
The following configuration files are provided as reference examples. Configure actual settings in accordance with your environment.
config.yml sample
log:
loglevel: info
ad:
ldap:
server:
addresses:
- 127.0.0.1
user: 'CN=administrator,CN=Users,DC=example,DC=jp'
base_dn: 'DC=example,DC=jp'
filter:
user: 'memberOf:1.2.840.113556.1.4.1941:=CN=IID_IDaaS user group,OU=IID_Groups,DC=example,DC=jp'
group: 'memberOf:1.2.840.113556.1.4.1941:=CN=IID_IDaaS user group,OU=IID_Groups,DC=example,DC=jp'
iid:
scim:
http:
proxy:
use: true
address: proxy.example.jp
port: 8080
user: iij-taro
attribute:
user:
default:
emails:
- primary: true
ad_bind:
externalId: userPrincipalName
userName: userPrincipalName
active:
- userAccountControl
- accountExpires
emails:
- value: mail
group:
ad_bind:
externalId: objectGUID
displayName: name
secret.yml sample
ad:
ldap:
server:
password: ldap_password
iid:
scim:
token: scim_token
http:
proxy:
password: proxy_password