<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <object xsi:type="ConnectorHostType" oid="91919191-76e0-59e2-86d6-44cc44cc44cc" xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <name>ICF Connector server on admachine:8759</name> <hostname>admachine.example.com</hostname> <port>8759</port> <sharedSecret> <clearValue>secret</clearValue> </sharedSecret> </object>
Active Directory with the legacy .NET connector
OBSOLETEThis functionality is obsolete. It is no longer supported or maintained.
Provisioning works well.
Synchronization works well.
This connector is obsolete. It is not supported any more. The connector is based on an obsolete code. Even though the code is tested and proven to work for basic IDM scenarios, we do not plan any extension for other scenarios. Evolveum team will not invest any more effort into this connector. This connector is no longer supported.
For planned deployments of midPoint we strongly recommend the use of the new LDAP-based Active Directory connector.
There is no community support provided by Evolveum team for the deprecated .NET-based Active Directory connector. The connector is supported only for midPoint subscribers that purchase their subscription prior to midPoint 3.3.1 release. Extra subscription for this connector is available, but has to be explicitly negotiated.
The connector can be used for provisioning Active Directory. .NET Connector Server with AD connector must be installed in AD domain. Connector host must be configured on midPoint host (see below).
This is still the recommended way for production deployments.
.NET Connector Server Installation
Administrative Account for Provisioning/Synchronization
We have successfully tested both provisioning and synchronization of users with the following access privileges using Active Directory domain "Delegate Control" mechanism:
Create, delete and manage user accounts
Reset user passwords and force password change at next logon
Read all user information
Create, delete and manage groups
Modify the membership of a group
Create, delete and manage inetOrgPerson accounts (TODO: is this needed?)
Reset inetOrgPerson accounts and force password change at next logon (TODO: is this needed?)
Read all inetOrgPerson information
For .NET framework 4.x:
Connector must be installed on .NET Connector Server machine. Just unzip the connector archive into the .NET Connector Server directory and restart Connector Server service.
(currently, no published documentation)
Connector Host Configuration
Connector host must be configured first to be able to configure AD connector. The following sample shows how to create connector host instance for Connector Server running on "admachine.example.com" host. Please note that the "sharedSecret" value must be set to the same value as Connector Server key. Import and update the connector host sample configuration and click "Discover" button. Connector object(s) will be created for connector(s) hosted by Connector Server.
Connector Host Example
Resource Configuration Example
<connectorConfiguration> <icfc:configurationProperties xmlns:icfcad="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/ActiveDirectory.Connector/Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector"> <icfcad:DirectoryAdminName>idmadmin</icfcad:DirectoryAdminName> <icfcad:DirectoryAdminPassword><clearValue>secret</clearValue></icfcad:DirectoryAdminPassword> <icfcad:ObjectClass>User</icfcad:ObjectClass> <icfcad:Container>cn=Users,dc=example,dc=com</icfcad:Container> <icfcad:CreateHomeDirectory>true</icfcad:CreateHomeDirectory> <icfcad:LDAPHostName>localhost</icfcad:LDAPHostName> <icfcad:SearchChildDomains>false</icfcad:SearchChildDomains> <icfcad:DomainName>example.com</icfcad:DomainName> </icfc:configurationProperties> </connectorConfiguration>
Note: to avoid clear-text password visible in the repository, please refer to String to ProtectedString Connector Configuration.
Note: the __PASSWORD_EXPIRED_\_ (icfs:passwordExpired) attribute can be set to "true" to force user change the password upon next login, but it can’t be set to "false". The only way of resetting the value is to change the password.