Active Directory (JNDI)


The Active Directory Connector supports provisioning to Windows servers 2003 / 2008 running Active Directory.

In order to have all the functionalities available with Windows server 2003 you have to raise functional level and forest functional level.

Please take a look at raise forest function level for more details.

This bundle is fully implemented in Java and makes use of JNDI to communicate to Active Directory, hence it does not require any additional module.


To install the Active Directory connector, add the bundle JAR file to a directory on your disk. If your application has a dedicated directory for connector bundles, put the file in that directory. For example, Apache Syncope looks for connector bundles in the configured bundles directory.

Supported Operations

The Active Directory connector supports the following operations:

  • Authentication
  • Create
  • Update
  • Delete
  • Get (read)
  • Schema (ask for schema)
  • Search
  • Sync
  • Test
  • Validate


The following table lists all the configuration properties you can specify when setting up the Active Directory connector:

Configuration PropertyRequiredTypeDefault ValueDescription

Use SSL to perform password provisioning.

Every operation can be performed by using a non-SSL connection: the only limitation is about user creation: active users cannot be created because password values cannot be provisioned.

Server hostnameXString
Active Directory server on which to connect
Server port

AD SSL port on which to connect.

Plain connection is possible. See SSL property for known limitations.

String array
An array of LDAP URLs specifying failover servers. If the connector cannot make a connection to the server specified in thehost property, it will try connecting to these failover servers in the specified order.
Distinguished name (DN) of the Active Directory entry under to perform provisioning operations
Principal password
Password corresponding to the entry specified in the principal property
Base contexts for user entry searchesXString array
DN of context to be used as starting point for account searches. The connector ignores any entries outside these base contexts but the default people container.
Base contexts for group entry searches
String array
DN of context to be used as starting point for group searches. The connector ignores any entries outside these base contexts but the default group container.
Default people container
Default people container to be used during create in case of entry DN is not explicitly provided.
Default group container
Default group container to be used during create in case of entry DN is not explicitly provided.
Entry object classes
String array{ "top", 
"user" }
Object classes to which the ACCOUNT object class is mapped.
Custom user search filter
LDAP search filter for accounts. When searching for accounts, the connector only considers those accounts that match the specified filter.
Custom group search filter
LDAP search filter for groups. When searching for groups, the connector only considers those groups that match the specified filter.
Root suffixesXString array
Base context DNs to use for synchronization. The connector ignores any changes outside of these base contexts.
Object classes to synchronize
String array"user"

User object classes to synchronize. The connector ignores any changes if it cannot find any of the modified entry's object classes in this property.

Groups to identify users to synchronize. The connector ignores any changes about users not member of indicated groups
Retrieve deleted users
BooleantrueIndicate if deleted users must be synchronized also.
Retrieve deleted groups
BooleantrueIndicate if deleted groups must be synchronized also.
Trust all certs
BooleanfalseIndicate if all server certificates must be trusted.
Verify memberships in 'OR'
BooleanfalseIndicate if specified memberships must be verified using 'OR' logical operator.
User search scope
StringsubtreeChoose object, onlevel or subtree
Group search scope
StringsubtreeChoose object, onlevel or subtree
Group members reference attribute
StringmemberGroup attribute referencing (by DN) the users members of a group
Group owner reference attribute
StringmanagedByGroup attribute name referencing (by DN) the owner
Null token is the latest

Reset null token value to the latest (sync with null token won't return any result).

Permit password update only

Permit password update only.

Create/delete operation will be denied while other attributes update requests will be ignored.

If checked and a password update is requested then user status (UAC value) won't be changed unless “User must change password at next logon” is set. In that case this flag is removed and the password is accepted as the default password.

Conservative membership policy
BooleanfalseConservative management of assigned groups. The groups already assigned to an user on AD will not be removed.
Exclude attribute changes on update
BooleanfalseExclude attribute changes on update. The only operations allowed will be the assignment and removal of groups.

Main configuration notes

  1. Active Directory connector provides password provisioning using a secure connection only. ADs port must be always provided.
  2. Provided Memberships (a list of group DNs) will be used to compose the user (not group) search filter on memberOf attribute.
    Each membership will be evaluated in or/and based on Verify memberships in 'OR'.
  3. Provided Custom user search filter/Custom group search filter will be used to compose (in AND) the user/group search filter.
  4. Object classes to synchronize will be the first filter applied to retrieve users to be synchronized.
    All the users matching this first filter will be filtered again with the second filter based on memberships, verify memberships in 'OR' and custom user search filter.
  5. There are no specific parameter to specify group object classes to be synchronized.
    All the groups (identified by the object classes top and group) to be synchronized will be filtered by custom group search filter (if provided).
  6. Use retrieve deleted users to synchronize user deletions.
  7. Use retrieve deleted groups to synchronize group deletions.
  8. Check trust all certs to avoid server certificate validation (to be used if no CA certificate available or server certificate cannot be validated).
  9. Perform the first synchronization by performing a full search upfront. See the following suggested steps:
    a. search users to be synchronized by the Search feature provided by the connector (providing your custom ldap filter if needed);
    b. check Null token is the latest;
    c. perform your synchronization (just needed to initialize the syncToken to the lates operation - no results will be returned);
    e. schedule your future synchronizations .... 

The following images show a sample configuration provided on Apache Syncope.


Advanced user management

  1. You can unlock user by performing an update sending lockoutTime boolean attribute to true.
  2. You can reset user password change mandatory constraint by performing an update sending pwdLastSet boolean attribute to true.
  3. You can set/unset user cannot change password condition by performing an update or create sending userCannotChangePassword boolean attribute to true/false respectively.
  4. You can set/unset "don't expire password" by performing an update or create sending passwordNeverExpires boolean attribute to true/false respectively (available from 1.2.7, 1.3.5).
  5. You can specify a primary group ID for an object by performing a create/update operation including  the DN of the primary group to be specified into the set of provisioning attributes.
    Use the special attribute primaryGroupDN to send this information.
    Please note that this specific feature is available from 1.2.3 onwards.