It is possible to perform most of Active Directory user/group provisioning using pure LDAP protocol. There are some limitations but most commons actions can be done over LDAP
Forgerock recommends to use the LDAP connector with AD whenever possible. It avoids the introduction of the remote connector server in the overall deployment. And, last but not least, it offer better performance.
Handling Operational Attributes
OpenICF has several Operational attributes to manage generic account policies:
- ENABLE : Gets/sets the enable status of an object.
- ENABLE_DATE: Gets/sets the enable date for an object.
- DISABLE_DATE: Gets/sets the disable date for an object.
- LOCK_OUT: Gets/sets the lock out attribute for an object.
- PASSWORD_EXPIRED: Gets/sets the password expired for an object.
We want to map these operational attributes to AD user account policy
In Active Directory, most of the Dates are represented by the number of 100-nanosecond intervals since January 1, 1601 (UTC).
OpenIDM recommends the usage of ISO 8601 compliant string with yyyy-MM-dd'T'HH:mm:ssZ format like:
The LDAP connector will convert any dates with AD format to preferred ISO 8601 format.
This is the minimal list of attributes that need conversion: