Page tree
Skip to end of metadata
Go to start of metadata

Status

FunctionalityStable
Support statusSupported
Support provided byEvolveum
OriginEvolveum
Target systemsActive Directory
AD DS 2012R2, AD DS 2008R2 (deprecated)

Description

Connector for Active Directory servers based on the LDAP protocol. This connector is the recommended way to connect midPoint with Active Directory servers.

This is a specialized version of the LDAP Connector to support the Active Directory LDAP quirks.

This LDAP-based connector is the supported and recommended Active Directory connector to use with midPoint. The old .NET-based Active Directory Connector and Exchange Connector (.NET) are deprecated and they are considered to be legacy and they are no longer supported.

Protocol

LDAP or LDAPS

Framework

ConnId 1.5.x

Bundle name

com.evolveum.polygon.connector.ldap.ad

Connector name

com.evolveum.polygon.connector.ldap.ad.AdLdapConnector

Capabilities and Features

SchemaYESIncluding experimental ability to use native AD schema instead of standard LDAP schema.

Provisioning

YES


Live Synchronization

YES

Active Directory DirSync synchronization supported.

Password

YES


Activation

YES

Activation using the userAccountControl attribute.

Paging support

YES

Simple Paged Results and VLV

Native attribute namesYES

Use ri:dn instead of icfs:name

Use ri:GUID instead of icfs:uid

ScriptingYESCommand execution and Powershell by using WinRM
(since 1.4.2.18)

History

This connector is based on the LDAP Connector which was completely rewritten from scratch during 2015-2016.

Versions

This connector is part of the LDAP Connector bundle. It is distributed together with LDAP Connector and eDirectory Connector.

Version

Origin

Binary

Sources

Build Date

ConnId
Framework
Bundled with midPoint

Description

1.4.2.0Evolveum

download jar

GitHub

December 2015

Official release (experimental)

1.4.2.14Evolveum

download jar

GitHub

April 2016

Official release (stable)
1.4.2.15Evolveum

download jar

GitHub

April 2016


1.4.2.18Evolveum

download jar

GitHub

September 2016
3.4.1Powershell support. Bundled with midPoint 3.4.1.
1.4.2.19Evolveum

download jar

GitHub

October 20161.4.2.18
Improved handling od DNs in AD multi-domain environment.  MID-2926 - Getting issue details... STATUS
1.4.3Evolveum

download jar

GitHub

December 20161.4.2.183.5
1.4.4Evolveum

download jar

GitHub

April 20171.4.2.183.5.1CredSSP and Powershell and Exchange support.
1.4.5Evolveum

download jar

GitHub

3rd July 20171.4.2.183.6Powershell improvements.
1.5Evolveum

download jar

GitHub

4th October 20171.4.2.183.6.1Powerhell support. Alternative objectclass detection. Logging improvements.
1.5.1Evolveum

download jar

GitHub

11th December 20171.4.2.183.7Powerhell fixes.
1.6Evolveum

download jar

GitHub

4th May 20181.4.2.183.8Support for CredSSP version 5 and 6 (CVE-2018-0886)
1.6.1Evolveum

download jar

GitHub

17th April 20181.4.2.18TBDFix of security vulnerability: missing check of certificate validity.
2.0Evolveum

download jar

GitHub

7th November 20181.5.0.03.9Native timestamp support.
Support for delta-based updates.
Textual representation of SID.
RunAs support that allows password changes using user's own identity.
Additional search filter support.
2.1Evolveum

download jar

GitHub

17th April 20191.5.0.0noneFix of security vulnerability: missing check of certificate validity.
2.2Evolveum

download jar

GitHub

31st May 20191.5.0.0noneUpgrade of Apache Directory API (may fix some connection issues)
Fixed binary encoding of unicodePwd (MID-5242)
Support for substring filter anchors (MID-5383)
Fixing localization of configuration properties
2.3Evolveum

download jar

GitHub

13th August 20191.5.0.04.0

Upgrade of Apache Directory API
Experimental support for native AD schema
Experimental support for objectCategory searches and automatic management of objectCategory
Improved support for UserAccountContol (contributed)
Support for defaultSearchScope

Interoperability

Following versions of Active Directory are supported:

  • Active Directory Domain Services (AD DS), Windows Server 2008R2 (DEPRECATED)
  • Active Directory Domain Services (AD DS), Windows Server 2012R2

Active Directory Lightweight Directory Services (AD LDS) or any other variants of Active Directory or related services are NOT supported.

The connector supports only a subset of the operations that are available by using LDAP protocol and at the same time are documented in public Microsoft documentation. The connector does not claim to support all AD operations and complete AD functionality. Basic provisioning functionality is supported and it is tested in numerous real-world deployments. But advanced functionality may not be supported at all. Active Directory is a complex, proprietary and heavily non-standard system. It is not possible for the connector to support all the available operations. We recommend to conduct a feasibility testing before deploying this connector. In case some connector functionality is missing then we recommend to purchase midPoint platform subscription to cover the functionality gap.

MS Exchange Interoperability

Technically, this connector can be used to provision Microsoft Exchange servers in a indirect way by using PowerShell scripts.

Firstly, the Exchange attributes are accessible in Active Directory when the Exchange software is installed. The AD/LDAP connector dynamically discovers AD schema and therefore it will discover presence of these attributes. Then these attributes can be manipulated in a normal way. Please note that some Exchange attributes may not be properly propagated in the AD LDAP schema. In such case there is a workaround to specify these attributes in the operationalAttributes connector configuration property.

Secondly, since version 1.4.2.18 the connector has support to execute commands and powershell scripts remotely using the WinRM interface. This feature can be used to manage Exchange mailboxes and additional settings. Please see Powershell Support in AD/LDAP Connector page for more details.

However, support for MS Exchange is not  included in the "bundled" support for this connector (see below).

Support

This connector is bundled with midPoint distribution. Support for LDAP connector is included in standard midPoint support service (a.k.a bundled support) - however, there are limitations:

  • Only some Active Directory versions are supported (see above)
  • Only some Active Directory features are supported (see above). The connector does not claim to be feature-complete. We recommend to conduct a feasibility testing before deploying this connector. In case some connector functionality is missing then we recommend to purchase midPoint platform subscription to cover the functionality gap.
  • PowerShell scripting implemented in this connector is supposed to be used to supplement creation of Active Directory (windows) accounts by using simple scripts. It is not supposed to be used to manage Microsoft Exchange accounts. Management of Exchange accounts can be quite a complex matter, requiring complicated PowerShell scripts. Support for the use of this connector to manage Exchange accounts has to be purchased separately.


There may be exception to this rule for the customers that purchased support before the release of midPoint 4.0. In case of any doubts please contact Evolveum sales representatives.

Licensing

The connector itself is available under the terms of Apache License 2.0. The connector is using only the LDAP protocol to access Active Directory. We are not using any Microsoft library or any other component that might be subject to Microsoft licensing. To our best knowledge no extra license is needed to use the connector with Active Directory. However the Microsoft license texts are not entirely clear and we are not lawyers. Therefore it is recommended for each user to make his own analysis of the licensing issues. Please use your Microsoft support program and contact Microsoft with the licensing question when in doubt.

Additional Notes for Provisioning

ConnId Result Handlers

Those "result handlers" are an artifact of an original original Identity Connector Framework over-engineering. The handlers are supposed to assist connectors by implementing "mechanism" that the connector or resource does not support - such as search result filtering, data normalization and so on. However, those handler are generic and they know nothing about the particulars of the resource that the connector connects to. Therefore in vast majority of cases those handlers just get into the way and they distort the data. Good connectors usually do not need those handlers at all. Unfortunately, these handler are enabled by default and there is no way for a connector to tell the framework to turn them off. The handlers needs to be explicitly disabled in the resource configuration.

We strongly recommend to disable all the handlers when working with well-designed connectors in general and when working with our LDAP or AD/LDAP connectors in particular.

Please make sure you are using the following resultHandlerConfiguration:

. . .
    <icfc:resultsHandlerConfiguration>
      <icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler>
      <icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
      <icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler>
    </icfc:resultsHandlerConfiguration>
  </connectorConfiguration>
. . .

Especially the enableAttributesToGetSearchResultsHandler is important to be false, otherwise you may be unable to see all attributes (just identifiers stored in shadow).

Resource Examples

See Also

  • No labels