Provisioning works well.
Synchronization works well.
This connector is the recommended way to connect to the Active Directory since connector version 126.96.36.199 (bundled with midPoint 3.3.1 and 3.4).
The .NET-based Active Directory connector is deprecated and it is no longer supported.
The connector can be used for provisioning and synchronization with Active Directory using the LDAP protocol.
(Remote connector server is not needed for this connector)
We have successfully tested both provisioning and synchronization of users with the following access privileges using Active Directory domain "Delegate Control" mechanism:
For LiveSync, you also need "Replicating Directory Changes" permission (please refer to https://support.microsoft.com/en-us/help/303972 and https://support.microsoft.com/en-ae/help/891995/how-to-poll-for-object-attribute-changes-in-active-directory-on-window).
Version: most recent stable version
(currently, no published documentation)
Active Directory in the default configuration is not really LDAPv3-compliant server. It has many quirks, extensions, modification and twists the LDAP standard almost beyond recognition. The LDAP connector was modified to survive this brutal "intepretation" of the LDAP specifications. However, there are many things that needs to be taken into account when configuring AD resource:
<connectorConfiguration xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3"> <icfc:configurationProperties xmlns:icfcldap="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.ad.AdLdapConnector"> <icfcldap:host>ad.example.com</icfcldap:host> <icfcldap:port>636</icfcldap:port> <icfcldap:baseContext>DC=evolveum,DC=com</icfcldap:baseContext> <icfcldap:bindDn>CN=midpoint,CN=Users,DC=evolveum,DC=com</icfcldap:bindDn> <icfcldap:connectionSecurity>ssl</icfcldap:connectionSecurity> <icfcldap:bindPassword> <t:clearValue>secret</t:clearValue> </icfcldap:bindPassword> </icfc:configurationProperties> <icfc:resultsHandlerConfiguration> <icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler> <icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler> <icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler> </icfc:resultsHandlerConfiguration> </connectorConfiguration>
See resource sample.
Note: to avoid clear-text password visible in the repository, please refer to String to ProtectedString Connector Configuration.
Active Directory has huge schema. The schema when encoded in XSD has several megabytes. This might take several hundreds of megabytes of memory when processed. Make sure that your midpoint instance has enough memory (heap) to handle that. The impact of AD schema can be limited by reducing the number of object classes that are processed by midPoint: