Page tree
Skip to end of metadata
Go to start of metadata


Support statusSupported
Support provided byEvolveum
Target systemsStandard LDAP servers (LDAPv3)

This is the recommended connector to connect midPoint with the LDAP servers.


Connector for standard LDAPv3 directory servers.

This is an LDAP connector completely rewritten from scratch in 2015. It is using Apache Directory API and it is designed and built to work with recent ConnId versions and to take all the advantages of that. This is the supported and recommended LDAP and AD connector for midPoint. The old LDAP and AD connectors are now deprecated and they are no longer supported.




ConnId 1.5.x

Bundle name


Connector name


Source code

Capabilities and Features

SchemaYESDetermined from standard LDAP schema.



Live Synchronization


For LDAP servers that support Sun-style changelog (Retro ChangeLog) or modifyTimestamp.

There is a contributed code for OpenLDAP synchronization. However, this is not included in "bundled" support.



It is assumed that the server will hash the password and store it securely. Support for connector-side hashing is limited.



No activation for generic LDAP as there is not LDAP standard for that. This can be simulated in midPoint.

Filtering changes

currently limited

Paging support


Simple Paged Results and VLV

Native attribute namesYES

Use ri:dn instead of icfs:name

Use ri:entryUUID instead of icfs:uid


This is an LDAP connector completely rewritten from scratch during 2015. It was significantly improved in following years. Currently the LDAP connector is perfectly stable and tested in many deployments. It can be used with a variety o LDAP servers, including exotic and obsolete systems.






Build Date

Framework versionBundled with midPoint



download jar


August 2015

Experimental version.

download jar


December 20151.4.2.0

LDAP stable, AD experimental

download jar


April 20161.

download jar


April 20161.4.2.14
Stable. jarGitHubJune 20161.4.2.14
Fixes timeout errors and resource leaks during AD connector resets. jarGitHubJune 20161. fixes. jarGitHubSeptember 20161. improvements. jarGitHubOctober 20161.4.2.18
Minor improvements.
1.4.3Evolveumdownload jarGitHubDecember 20161. improvements.
1.4.4Evolveumdownload jarGitHubApril 20171. and Exchange powershell support, bugfixes, minor improvements.
1.4.5Evolveumdownload jarGitHub3rd July 20171. bugfixes, minor improvements.
1.5Evolveumdownload jarGitHub4th October 20171. powershell execution alternatives and improvements, alternative auxiliary object class detection, explicit object class filter, configurable timestamp presentation, better error messages.
1.5.1Evolveumdownload jarGitHub11th December 20171., 3.7.1Release coupled with AD connector.
1.6Evolveumdownload jarGitHub4th May 20181., 3.8Release coupled with AD connector.
1.6.1Evolveumdownload jarGitHub17th April 20191.4.2.18noneFix of security vulnerability: missing check of certificate validity.
2.0Evolveumdownload jarGitHub7th November 20181. timestamp support. Support for delta-based updates. Additional search filter support.
2.1Evolveumdownload jarGitHub17th April 20191.5.0.0noneOpenLDAP access log synchronization (contributed by Jonathan Gietz)
Object class handling improvements (contributed by Matthias Wolf)
Experimental support for "language-tagged" attributes.
Fix of security vulnerability: missing check of certificate validity.
2.2Evolveumdownload jarGitHub31st May 20191.5.0.0none

Upgrade of Apache Directory API (may fix some connection issues)
Support for substring filter anchors (MID-5383)
Fixing localization of configuration properties

2.3Evolveumdownload jarGitHub13th August 20191.

Upgrade of Apache Directory API
Support for defaultSearchScope

2.4Evolveumdownload jarGitHub22nd November 20191.5.0.0TBD

Removed legacy support for eDirectory
Upgrade of Apache Directory API (2.0e1)
Support for "tree delete" LDAP control.

2.4.1Evolveumdownload jarGitHub23rd September 20201.5.0.0TBD (probably 4.0.3)

Fix configuration order (MID-6312)

3.0Evolveumdownload jarGitHub3rd April 20201.

Fixed detection of polystring attributes.
Implemented baseContextToSynchronize in timestamp-based synchronization.
Java 11 support (no Java 8 support any more).

3.1Evolveumdownload jarGitHub20th October 20201.

Additional filter fixes at several places.
Improved VLV detection.
Proper SPR "abandon".
Improved error handling.
Misc minor fixes.


In theory the connector should work with any LDAPv3 compliant LDAP server. However, many servers claim LDAPv3 compliance while the reality is far from ideal. The connector supports "quirks" of several popular LDAP servers and it tolerates some violations of LDAPv3 standards.

The connector was successfully tested with the following LDAP servers (assuming reasonably recent versions of the servers):

  • OpenLDAP
  • ForgeRock OpenDJ / wren:DS
  • 389 directory server / Red Hat Directory Server / Fedora Directory Server
  • Oracle Directory Server Enterprise Edition (DSEE) / Sun One / Sun Java System / iPlanet Directory Server
  • ViewDS

We know that at least some operations of the connector works with these servers and they are supported in some midPoint deployments. However, support for any specific server is not part of standard midPoint subscription and it has to be negotiated separately (see below).

If you are using this connector with a different directory server please let us know. We would like to know both about the positive and negative experiences.


  • Additional search filter does not work for "Sun changelog" synchronization strategy. The structure of changelog does not allow direct application of the filter on server-side. Client side application of filter is not straightforward due various complexities and the implementation is not planned for now.
  • Synchronization based on modifyTimestamp has a simplistic implementation. It does not support SPR, VLV or referral-following functionality. This synchronization method is inherently inefficient and unreliable. It should be used only as a last resort, if no other method is available.


LDAP connector is bundled with midPoint distribution. Support for LDAP connector is included in standard midPoint support service (a.k.a. bundled support) - however, there are limitations. This "bundled" support only includes operations of LDAP connector that 100% compliant with LDAP standards. Any non-standard functionality is explicitly excluded from the bundled support.

It is a sad fact that so far we haven't seen any LDAP server that would be 100% standard-compliant or that would not require any non-standard extensions to work. Therefore if you want to be sure that this LDAP connector will work with your LDAP server, we strongly recommend to negotiate support for that specific server in your midPoint support contract.

For the purposes of this definition "standard" means RFC specifications that reach at least a "proposed standard" status. Drafts, informational documents, vendor specifications or any other documents are not considered to be part of LDAP standards.

This means that the bundled support does not include support for any specific LDAP server. Support for specific servers needs to be explicitly negotiated in the support contract.

There may be exception to this rule for the customers that purchased support before the release of midPoint 4.0. In case of any doubts please contact Evolveum sales representatives.


See LDAP Connector Documentation

Resource Examples


The LDAP connector bundle also contains connectors for Active Directory and eDirectory. These connectors are specializations of the LDAP connector and support the LDAP quirks needed to work with AD and eDirectory.

See Also

  • No labels