Skip to end of metadata
Go to start of metadata

Status

Stable. Works well.

This connector is the recommended way to connect midPoint with Active Directory servers.

Description

Connector for Active Directory servers based on the LDAP protocol.

This is a specialized version of the LDAP Connector to support the Active Directory LDAP quirks.

This LDAP-based connector is the supported and recommended Active Directory connector to use with midPoint. The old .NET-based Active Directory Connector and Exchange Connector (.NET) are deprecated and they are no longer supported (except for customers that purchased midPoint subscription prior to April 2016 and September 2016 respectively).

Protocol

LDAP or LDAPS

Framework

ConnId 1.4.x

Bundle name

com.evolveum.polygon.connector.ldap.ad

Connector name

com.evolveum.polygon.connector.ldap.ad.AdLdapConnector

Capabilities and Features

Provisioning

YES

 

Live Synchronization

YES

Active Directory DirSync synchronization supported.

Password

YES

 

Activation

YES

Activation using the userAccountControl attribute.

Paging support

YES

Simple Paged Results and VLV

Native attribute namesYES

Use ri:dn instead of icfs:name

Use ri:GUID instead of icfs:uid

ScriptingYESCommand execution and Powershell by using WinRM
(since 1.4.2.18)

History

This connector is based on the LDAP Connector which was completely rewritten from scratch during 2015-2016.

Versions

This connector is part of the LDAP Connector bundle. It is distributed together with LDAP Connector and eDirectory Connector.

Version

Origin

Binary

Sources

Build Date

ConnId
Framework
Bundled with midPoint

Description

1.4.2.0Polygon

download jar

GitHub

December 2015  

Official release (experimental)

1.4.2.14Polygon

download jar

GitHub

April 2016  Official release (stable)
1.4.2.15Polygon

download jar

GitHub

April 2016   
1.4.2.18Polygon

download jar

GitHub

September 2016 3.4.1Powershell support. Bundled with midPoint 3.4.1.
1.4.2.19Polygon

download jar

GitHub

October 20161.4.2.18 Improved handling od DNs in AD multi-domain environment.  MID-2926 - Passing __NAME__ in ConnId Uid class as an additional hint Resolved
1.4.3Polygon

download jar

GitHub

December 20161.4.2.183.5 
1.4.4Polygon

download jar

GitHub

April 20171.4.2.183.5.1CredSSP and Powershell and Exchange support.
1.4.5Polygon

download jar

GitHub

3rd July 20171.4.2.183.6Powershell improvements.
1.5Polygon

download jar

GitHub

4th October 20171.4.2.183.6.1Powerhell support. Alternative objectclass detection. Logging improvements.
1.5.1Polygon

download jar

GitHub

11th December 20171.4.2.183.7Powerhell fixes.
1.6Polygon

download jar

GitHub

4th May 20181.4.2.183.8Support for CredSSP version 5 and 6 (CVE-2018-0886)

MS Exchange Support

This connector supports Microsoft Exchange servers in a slightly indirect way.

Firstly, the Exchange attributes are accessible in Active Directory when the Exchange software is installed. The AD/LDAP connector dynamically discovers AD schema and therefore it will discover presence of these attributes. Then these attributes can be manipulated in a normal way. Please note that some Exchange attributes may not be properly propagated in the AD LDAP schema. In such case there is a workaround to specify these attributes in the operationalAttributes connector configuration property.

Secondly, since version 1.4.2.18 the connector has support to execute commands and powershell scripts remotely using the WinRM interface. This feature can be used to manage Exchange mailboxes and additional settings. Please see Powershell Support in AD/LDAP Connector page for more details.

Licensing

The connector itself is available under the terms of Apache License 2.0. The connector is using only the LDAP protocol to access Active Directory. We are not using any Microsoft library or any other component that might be subject to Microsoft licensing. To our best knowledge no extra license is needed to use the connector with Active Directory. However the Microsoft license texts are not entirely clear and we are not lawyers. Therefore it is recommended for each user to make his own analysis of the licensing issues. Please use your Microsoft support program and contact Microsoft with the licensing question when in doubt.

Additional Notes for Provisioning

Please make sure you are using the following resultHandlerConfiguration:

Especially the enableAttributesToGetSearchResultsHandler is important to be false, otherwise you may be unable to see all attributes (just identifiers stored in shadow).

Documentation

 

Resource Examples

See Also

  • No labels