Page tree
Skip to end of metadata
Go to start of metadata


Works well, but there are some drawbacks.



Recommended Connectors




Polygon LDAP connector

LDAP Connector


Resource Configuration

See 389 Directory Server Configuration page.

Connector Configuration

See LDAP Connector documentation.

Connector Configuration Example


Resource Sample

389 Directory Server configuration samples from master branch.


Attribute nsUniqueId

The 389ds has a very convenient attribute nsUniqueId that is an attractive choice for account primary identifier. And this mostly works. But it does NOT work for changelog-based live synchronization. Delete deltas in the changelog do NOT have the nsUniqueId attribute. As the original entry is already deleted at that time then it is not possible for a connector to translate the DN of the deleted entry to a nsUniqueId and the delete delta will not work.

Workaround: change primary account identifier to dn.

Bad Schema

The 389ds is NOT a fully LDAPv3-compliant directory server. It is using non-numeric OIDs, under some circumstances it uses illegal attribute names (such as unhashed#user#password), it is using attributes that are not declared in the schema (firstchangenumber, lastchangenumber), etc. MidPoint 3.2 is bundled with LDAP connector that relies on LDAPv3 compliance of the schema and will fail is 389ds is configured in non-LDAPv3-compliant way. The LDAP connector bundled with midPoint 3.3 was improved to be a more tolerant LDAP client and it will work.

See Also

  • No labels