Skip to end of metadata
Go to start of metadata

It is possible to perform most of Active Directory user/group provisioning using pure LDAP protocol. There are some limitations but most commons actions can be done over LDAP

Forgerock recommends to use the LDAP connector with AD whenever possible. It avoids the introduction of the remote connector server in the overall deployment. And, last but not least, it offer better performance.


Handling Operational Attributes

OpenICF has several Operational attributes to manage generic account policies:

  • ENABLE : Gets/sets the enable status of an object.
  • ENABLE_DATEGets/sets the enable date for an object.
  • DISABLE_DATEGets/sets the disable date for an object.
  • LOCK_OUTGets/sets the lock out attribute for an object.
  • PASSWORD_EXPIREDGets/sets the password expired for an object.


We want to map these operational attributes to AD user account policy

Handling Dates

In Active Directory, most of the Dates are represented by the number of 100-nanosecond intervals since January 1, 1601 (UTC).


pwdLastSet: 130698687542272930

OpenIDM recommends the usage of ISO 8601 compliant string with yyyy-MM-dd'T'HH:mm:ssZ format like: 


The LDAP connector will convert any dates with AD format to preferred ISO 8601 format.

This is the minimal list of attributes that need conversion:

  • pwdLastSet
  • accountExpires
  • lockoutTime
  • lastLogon


  • No labels