How To

How do I set up the Active Directory Connector in OpenIDM 4.x?

Last updated Jan 5, 2021

The purpose of this article is to provide information on setting up the OpenIDM Active Directory® Connector with a .NET® Connector Server.


This article has been archived and is no longer maintained by ForgeRock.

Setting up the Active Directory Connector

Setting up the Active Directory Connector is a two-part process, with the first part carried out on the Active Directory server and the second part on the OpenIDM server.

On the Active Directory server

  1. Check the version of the installed Microsoft® .Net framework. It must be at least version 4.0.30319, otherwise you must update it. 
  2. Download the .msi file for the latest .NET Connector Server from BackStage.
  3. Double-click the openicf-zip-1.x.x.x-dotnet.msi installation file and work through the wizard to install the Connector Server as a Microsoft Windows® service.
  4. Open the Services console and ensure the Connector Server service is listed; this service is called OpenICF Connector Server by default.
  5. Stop the Connector Server service.
  6. Launch the command line and change directory to the directory where you installed the .NET Connector Server. For example, use the following command if you installed it in the default directory: cd "c:\Program Files (x86)\Identity Connectors\Connector Server" then change the encryption key using the following command: ConnectorServer.exe /setkey Passw0rd where Passw0rd is an encryption key of your choosing.
  7. Download the latest AD Connector from BackStage.
  8. Unzip and copy the contents of the zip file to the directory where you installed the .NET Connector Server; this is C:\Program Files (x86)\Identity Connectors\Connector Server by default.
  9. Restart the Connector Server service.

On the OpenIDM server

  1. Copy the provisioner.openicf-ad.json file from the /path/to/openidm/samples/provisioners​ directory to the /path/to/openidm/conf directory.
  2. Edit the provisioner.openicf-ad.json file to update the following properties:
    • LDAPHostName to match your environment.
    • DirectoryAdminName and DirectoryAdminPassword to match your Window's environment.
    • Container to match your Active Directory container if different from the default.
    • bundleVersion to match the version of the Active Directory Connector you installed on the Active Directory server.
  3. Copy the provisioner.openicf.connectorinfoprovider.json file from the /path/to/openidm/samples/provisioners​ directory to the /path/to/openidm/conf directory.
  4. Edit the provisioner.openicf.connectorinfoprovider.json file to change the host and key properties; the key property must match the encryption key you set in step 6 on the Active Directory server.
  5. Ping the OpenIDM server from Windows and then ping the Windows IP from the OpenIDM server to ensure they can talk to each other.
  6. Copy the sync.json file from the /path/to/openidm/samples/sample6/conf directory to the /path/to/openidm/conf directory and make the following changes.
    • Remove the managedUser_systemLdapAccounts mapping as it is not used in this example.
    • Change the source mapping from system/ad/account to system/ActiveDirectory/account to match the name property in the provisioner.openicf-ad.json file.

Testing your setup

You can verify that OpenIDM is connecting to your Active Directory Connector as follows:

  • Make sure there are no warnings or errors in the console log. If OpenIDM is not able to talk to your remote connector you may see an error like this: Remote OpenICF Connector ConnectorReference( connectorHostRef=dotnet bundleName=ActiveDirectory.Connector bundleVersion=[, connectorName=Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector ) could not be located, may not yet be connected to the remote connector server. [OpenICFProvisionerService]OpenIDM version "4.0.0" (revision: 639216c) jenkins-OpenIDM commercial release-18 null
  • Issue a REST command using a REST client to query for all AD users: $ curl --cacert self-signed.crt -H "X-OpenIDM-Username: openidm-admin" -H "X-OpenIDM-Password: openidm-admin" -X GET "https://localhost:8443/openidm/system/ActiveDirectory/account/?_queryId=query-all-ids"

See Also

How do I enable debug logging and log rotation for the .NET Remote Connector Server (RCS)?

How do I configure the userAccountControl property in the LDAP and .NET Connectors in IDM (All versions)?

OpenIDM Integrator's Guide › Installing and Configuring a .NET Connector Server

OpenIDM Integrator's Guide › Configuring Connectors

OpenIDM Connectors Guide › Active Directory Connector

Microsoft .NET Framework 4 (Standalone Installer)

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.