Active Directory with the legacy .NET connector

Last modified 07 Sep 2022 03:49 +02:00
OBSOLETE
This functionality is obsolete. It is no longer supported or maintained.
Table of Contents

Status

Provisioning works well.

Synchronization works well.

OBSOLETE

This connector is obsolete. It is not supported any more. The connector is based on an obsolete code. Even though the code is tested and proven to work for basic IDM scenarios, we do not plan any extension for other scenarios. Evolveum team will not invest any more effort into this connector. This connector is no longer supported.

For planned deployments of midPoint we strongly recommend the use of the new LDAP-based Active Directory connector.

There is no community support provided by Evolveum team for the deprecated .NET-based Active Directory connector. The connector is supported only for midPoint subscribers that purchase their subscription prior to midPoint 3.3.1 release. Extra subscription for this connector is available, but has to be explicitly negotiated.

Description

The connector can be used for provisioning Active Directory. .NET Connector Server with AD connector must be installed in AD domain. Connector host must be configured on midPoint host (see below).

This is still the recommended way for production deployments.

Resource Configuration

.NET Connector Server Installation

See .NET connector installation

Administrative Account for Provisioning/Synchronization

We have successfully tested both provisioning and synchronization of users with the following access privileges using Active Directory domain "Delegate Control" mechanism:

  • Create, delete and manage user accounts

  • Reset user passwords and force password change at next logon

  • Read all user information

  • Create, delete and manage groups

  • Modify the membership of a group

  • Create, delete and manage inetOrgPerson accounts (TODO: is this needed?)

  • Reset inetOrgPerson accounts and force password change at next logon (TODO: is this needed?)

  • Read all inetOrgPerson information

For .NET framework 4.x:

Framework: ICF
Bundle: ActiveDirectory.Connector
Version: 1.4.0.20165
Connector: Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector

Connector must be installed on .NET Connector Server machine. Just unzip the connector archive into the .NET Connector Server directory and restart Connector Server service.

Connector Configuration

(currently, no published documentation)

Connector Host Configuration

Connector host must be configured first to be able to configure AD connector. The following sample shows how to create connector host instance for Connector Server running on "admachine.example.com" host. Please note that the "sharedSecret" value must be set to the same value as Connector Server key. Import and update the connector host sample configuration and click "Discover" button. Connector object(s) will be created for connector(s) hosted by Connector Server.

Connector Host Example

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<object xsi:type="ConnectorHostType" oid="91919191-76e0-59e2-86d6-44cc44cc44cc" xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <name>ICF Connector server on admachine:8759</name>
    <hostname>admachine.example.com</hostname>
    <port>8759</port>
    <sharedSecret>
        <clearValue>secret</clearValue>
    </sharedSecret>
</object>

Resource Configuration Example

<connectorConfiguration>
<icfc:configurationProperties
  xmlns:icfcad="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/ActiveDirectory.Connector/Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector">
    <icfcad:DirectoryAdminName>idmadmin</icfcad:DirectoryAdminName>
    <icfcad:DirectoryAdminPassword><clearValue>secret</clearValue></icfcad:DirectoryAdminPassword>
    <icfcad:ObjectClass>User</icfcad:ObjectClass>
    <icfcad:Container>cn=Users,dc=example,dc=com</icfcad:Container>
    <icfcad:CreateHomeDirectory>true</icfcad:CreateHomeDirectory>
    <icfcad:LDAPHostName>localhost</icfcad:LDAPHostName>
    <icfcad:SearchChildDomains>false</icfcad:SearchChildDomains>
    <icfcad:DomainName>example.com</icfcad:DomainName>
  </icfc:configurationProperties>
</connectorConfiguration>

Resource Sample

See resource sample.

Notes

Note: to avoid clear-text password visible in the repository, please refer to String to ProtectedString Connector Configuration.

 
+

Note: the __PASSWORD_EXPIRED__ (icfs:passwordExpired) attribute can be set to "true" to force user change the password upon next login, but it can’t be set to "false". The only way of resetting the value is to change the password.

 
+

See Also

Was this page helpful?
YES NO
Thanks for your feedback