Provisioning works well.

Synchronization works well.

This connector is the recommended way to connect to the Active Directory since connector version (bundled with midPoint 3.3.1 and 3.4).

The .NET-based Active Directory connector is deprecated and it is no longer supported.


The connector can be used for provisioning and synchronization with Active Directory using the LDAP protocol.

Resource Configuration

(Remote connector server is not needed for this connector)

Administrative Account for Provisioning/Synchronization

We have successfully tested both provisioning and synchronization of users with the following access privileges using Active Directory domain "Delegate Control" mechanism:

For LiveSync, you also need "Replicating Directory Changes" permission (please refer to and

Recommended Connector

Framework: ConnId
Bundle: com.evolveum.polygon.connector-ldap
Version: most recent stable version

Connector Configuration

(currently, no published documentation)

Active Directory in the default configuration is not really LDAPv3-compliant server. It has many quirks, extensions, modification and twists the LDAP standard almost beyond recognition. The LDAP connector was modified to survive this brutal "intepretation" of the LDAP specifications. However, there are many things that needs to be taken into account when configuring AD resource:

  • instanceType, nTSecurityDescriptor and objectCategory are formally defined as mandatory attributes in the top object class (!!!). This means they are (formally) mandatory for all objects accessed using LDAP connection. But the reality is different. It seems to be OK to create an object without these attributes. Therefore for a proper operation of midPoint we recommend to modify the schema using the limitations mechanism in midPoint Resource Schema Handling by setting minOccurs=0. (This is already done in the sample referenced below.)
  • The objects can easily have attributes that are not defined in any object classes that they have. E.g. a normal user (the user object class) may have attribute info. If such extra attributes are used in your AD instance then the best way is to configure them as operational attributes in the connector configuration and define them explicitly in Resource Schema Handling (see ).

Resource Configuration Example

<connectorConfiguration xmlns:icfc="">
        <icfc:configurationProperties xmlns:icfcldap="">

Resource Sample

See resource sample.



Note: to avoid clear-text password visible in the repository, please refer to String to ProtectedString Connector Configuration.

Active Directory has huge schema. The schema when encoded in XSD has several megabytes. This might take several hundreds of megabytes of memory when processed. Make sure that your midpoint instance has enough memory (heap) to handle that. The impact of AD schema can be limited by reducing the number of object classes that are processed by midPoint:


See also 

See Also

External links