Page tree
Skip to end of metadata
Go to start of metadata


Stable. Works well.

This is the recommended connector to connect midPoint with the LDAP servers.


Connector for LDAP-based directory servers. Complete rewrite based on Apache Directory API. Apache-licensed.

The LDAP connector bundle also contains connectors for Active Directory and eDirectory. These connectors are specializations of the LDAP connector and support the LDAP quirks needed to work with AD and eDirectory.

This is an LDAP connector completely rewritten from scratch in 2015. It is using Apache Directory API and it is designed and built to work with recent ConnId versions and to take all the advantages of that. This is the supported and recommended LDAP and AD connector for midPoint. The old LDAP and AD connectors are now deprecated and they are no longer supported.




ConnId 1.5.x

Bundle name


Connector name


Capabilities and Features



Live Synchronization


For LDAP servers that support Sun-style changelog (Retro ChangeLog) or modifyTimestamp.

AD DirSync synchronization supported.





No activation for generic LDAP as there is not LDAP standard for that. This can be simulated in midPoint.
Activation for AD and eDirectory is supported.

Filtering changes

currently limited

Paging support


Simple Paged Results and VLV

Native attribute namesYES

Use ri:dn instead of icfs:name

Use ri:entryUUID instead of icfs:uid


This is an LDAP connector completely rewritten from scratch during 2015. It was significantly improved in following years. Currently the LDAP connector is perfectly stable and tested in many deployments. It can be used with a variety o LDAP servers, including exotic and obsolete systems.






Build Date

Framework versionBundled with midPoint



download jar


August 2015

Experimental version.

download jar


December 20151.4.2.0

LDAP stable, AD experimental

download jar


April 20161.

download jar


April 20161.4.2.14
Stable. jarGitHubJune 20161.4.2.14
Fixes timeout errors and resource leaks during AD connector resets. jarGitHubJune 20161. fixes. jarGitHubSeptember 20161. improvements. jarGitHubOctober 20161.4.2.18
Minor improvements.
1.4.3Polygondownload jarGitHubDecember 20161. improvements.
1.4.4Polygondownload jarGitHubApril 20171. and Exchange powershell support, bugfixes, minor improvements.
1.4.5Polygondownload jarGitHub3rd July 20171. bugfixes, minor improvements.
1.5Polygondownload jarGitHub4th October 20171. powershell execution alternatives and improvements, alternative auxiliary object class detection, explicit object class filter, configurable timestamp presentation, better error messages.
1.5.1Polygondownload jarGitHub11th December 20171., 3.7.1Release coupled with AD connector.
1.6Polygondownload jarGitHub4th May 20181., 3.8Release coupled with AD connector.
1.6.1Polygondownload jarGitHub17th April 20191.4.2.18TBDFix of security vulnerability: missing check of certificate validity.
2.0Polygondownload jarGitHub7th November 20181. timestamp support. Support for delta-based updates. Additional search filter support.
2.1Polygondownload jarGitHub17th April 20191.5.0.0noneOpenLDAP access log synchronization (contributed by Jonathan Gietz)
Object class handling improvements (contributed by Matthias Wolf)
Experimental support for "language-tagged" attributes.
Fix of security vulnerability: missing check of certificate validity.
2.2Polygondownload jarGitHub31st May 20191.5.0.0TBD

Upgrade of Apache Directory API (may fix some connection issues)
Support for substring filter anchors (MID-5383)
Fixing localization of configuration properties


In theory the connector should work with any LDAPv3 compliant LDAP server. However, many servers claim LDAPv3 compliance while the reality is far from ideal. The connector supports "quirks" of several popular LDAP servers and it tolerates some violations of LDAPv3 standards.

The connector supports following servers (assuming reasonably recent versions of the servers):

In addition to this the connector was successfully tested with the following LDAP servers:

  • ForgeRock OpenDJ / wren:DS
  • 389 directory server / Red Hat Directory Server / Fedora Directory Server
  • Oracle Directory Server Enterprise Edition (DSEE) / Sun One / Sun Java System / iPlanet Directory Server
  • eDirectory (in a form of eDirectory Connector)
  • ViewDS

We know that the connector works with these servers and they are supported in some midPoint deployments. However, support for these servers is not part of standard midPoint subscription and it has to be negotiated separately.

If you are using this connector with a different directory server please let us know. We would like to know both about the positive and negative experiences.


See LDAP Connector Documentation

Resource Examples

See Also

  • No labels