Active Directory
Overview
The Active Directory Connector supports provisioning to Windows servers 2003 / 2008 running Active Directory.
Installation
- Extract the Active Directory Connector zip file to the same directory where the connector server resides.
The default path is C:\Program Files\Identity Connectors\Connector Server. You can change this path if you are running more than one connector server on the same machine. - Restart the connector server.
Supported operations
- Authenticate
- Create
- Delete
- Update
- Search
- Schema
- Test
Configuration
The following table describes all of the configuration properties that you can specify on the Configuration object when you are setting up an Active Directory connector.
| Configuration Property | Type | Required | Definition |
|---|---|---|---|
| Active Directory Domain Controller Hostname | String | Specifies a particular domain controller, enter the hostname, IP address, or domain name of the LDAP server. If it is not supplied, serverless bind is used. | |
| Container | String | X | A container object which will be the default root of all searches. Unless a search explicitly passes in other criteria, only objects under this container will be searched. For example, if you want to retrieve users from the Users container, enter CN=Users,DC=MYDOMAIN,DC=COM. |
| Create Home Directory | Boolean | Specifes whether or not the home directory for the user will be created. | |
| Directory Administrator's Account | String | X | The administrator's user name with which the system should authenticate. The setting can be either a username or a combination of domain name and user name in the form of 'domainname'\'username'. |
| Directory Administrator's Password | String | X | The password that should be used when authenticating. |
| Domain Name | String | X | Name of the windows domain (e.g. windowsdomain.mycompany.com). |
| Object Class for User Objects | String | The Active Directory object class for user objects that will be managed on the specified resource. The default is User, and for most situations, this should be fine. | |
| Search Child Domains | Boolean | Set if you want searches of Active Directory to include child domains. In addition, the Search Container and Sync Search Context (see sync settings) attributes must be set to the top of the parent domain, e.g. DC=mydomain,DC=com. | |
| Search Context | String | Reserved for future use. | |
| Sync Domain Controller | String | Domain controller to use during sync. Only used if not searching child domains. | |
| Sync Global Catalog Server | String | Name of the global catalog server. This is needed only if searching child domains. |
Schema
The Active Directory connector supports three objectclasses:
- ACCOUNT
- Group
- organizationalUnit
The following tables list all explicitly supported attributes in the schema, according to objectclass (type of object to manage).
Attributes Supported for the ACCOUNT Objectclass
Unless specifically noted otherwise, all of the attributes listed in this table are
- Single-valued
- Optional
- Can be created, updated, and read.
| Attribute Name | Description |
|---|---|
| sAMAccountName | Cannot be updated |
| givenName | |
| sn | |
| displayName | |
| telephoneNumber | |
| employeeID | |
| division | |
| mobile | |
| middleName | |
| description | Multi-valued attribute |
| department | |
| manager | |
| title | |
| initials | |
| co | |
| company | |
| facsimileTelephoneNumber | |
| homePhone | |
| streetAddress | |
| l | |
| st | |
| postalCode | |
| TerminalServicesInitialProgram | Cannot be created or updated |
| TerminalServicesWorkDirectory | |
| AllowLogon | |
| MaxConnectionTime | |
| MaxDisconnectionTime | Cannot be created or updated |
| MaxIdleTime | |
| ConnectClientDrivesAtLogon | Cannot be created or updated |
| ConnectClientPrintersAtLogon | Cannot be created or updated |
| DefaultToMainPrinter | Cannot be created or updated |
| BrokenConnectionAction | Cannot be created or updated |
| ReconnectionAction | Cannot be created or updated |
| EnableRemoteControl | Cannot be created or updated |
| TerminalServicesProfilePath | Cannot be created or updated |
| TerminalServicesHomeDirectory | Cannot be created or updated |
| TerminalServicesHomeDrive | Cannot be created or updated |
| uSNChanged | Cannot be created or updated |
| ad_container | Cannot be created or updated |
| otherHomePhone | Multi-valued attribute |
| distinguishedName | Cannot be created or updated |
| objectClass | Cannot be created or updated |
| homeDirectory | |
| PasswordNeverExpires? | |
| ENABLE | |
| LOCK_OUT | |
| PASSWORD_EXPIRED | |
| CURRENT_PASSWORD | |
| PASSWORD | Multi-valued attribute that is not readable and not returned by default |
| GROUPS | |
| DESCRIPTION | Cannot be created or updated |
| SHORT_NAME | Cannot be created or updated |
| NAME | Not readable |
Attributes Supported for the Group Objectclass
Unless specifically noted otherwise, all of the attributes listed in this table are
Single-valued Optional Can be created, updated, and read.
| Attribute Name | Description |
|---|---|
| cn | Cannot be created or updated |
| samAccountName | |
| description | |
| displayName | Cannot be created or updated |
| managedby | |
| groupType | |
| objectClass | Cannot be created or updated |
| member | Cannot be created or updated |
| ad_container | Cannot be created or updated |
| DESCRIPTION | Cannot be created or updated |
| SHORT_NAME | Cannot be created or updated |
| NAME | Required |
Attributes Supported for the organizationalUnit Objectclass
Unless specifically noted otherwise, all of the attributes listed in this table are
Single-valued Optional Can be created, updated, and read.
| Attribute Name | Description |
|---|---|
| ou | Cannot be created or updated |
| displayName | Cannot be created or updated |
| DESCRIPTION | Cannot be created or updated |
| SHORT_NAME | Cannot be created or updated |
| NAME | Required |