Works well, but there are some drawbacks.
Polygon LDAP connector
See 389 Directory Server Configuration page.
Connector Configuration Example
The 389ds has a very convenient attribute
nsUniqueId that is an attractive choice for account primary identifier. And this mostly works. But it does NOT work for changelog-based live synchronization. Delete deltas in the changelog do NOT have the
nsUniqueId attribute. As the original entry is already deleted at that time then it is not possible for a connector to translate the DN of the deleted entry to a
nsUniqueId and the delete delta will not work.
Workaround: change primary account identifier to
The 389ds is NOT a fully LDAPv3-compliant directory server. It is using non-numeric OIDs, under some circumstances it uses illegal attribute names (such as
unhashed#user#password), it is using attributes that are not declared in the schema (
lastchangenumber), etc. MidPoint 3.2 is bundled with LDAP connector that relies on LDAPv3 compliance of the schema and will fail is 389ds is configured in non-LDAPv3-compliant way. The LDAP connector bundled with midPoint 3.3 was improved to be a more tolerant LDAP client and it will work.