Active Directory
Description
The Active Directory connector scans a Windows domain controller via LDAP or LDAPS to discover user accounts, computer accounts, group memberships, and privilege assignments. It is the primary source of identity data in most OrbisID deployments and is typically scanned first within any scan policy.
System Type Classification
| Field | Value |
|---|---|
| System Type | Directory Service |
| Default Scan Priority | 10 (scanned first) |
Version Support
| OrbisID Edition | Supported |
|---|---|
| Community | Yes |
| Pro | Yes |
| Enterprise | Yes |
Active Directory scanning is available in all editions.
Supported Protocols
| Protocol | Port | Encryption | Recommendation |
|---|---|---|---|
| LDAP | 389 TCP | None | Development / testing only |
| LDAPS | 636 TCP | TLS | Recommended for production |
What OrbisID Discovers
| Data | Source |
|---|---|
| User accounts | objectClass=user |
| Computer accounts | objectClass=computer |
| Group memberships | memberOf attribute |
| Nested group memberships | Recursive member resolution |
| Account status (enabled/disabled/locked) | userAccountControl flags |
| Password never expires | userAccountControl flags |
| Last logon timestamp | lastLogonTimestamp |
| Service accounts | servicePrincipalName attribute presence |
| Administrative group members | Domain Admins, Enterprise Admins, Schema Admins, Administrators |
Connection Requirements
Credential Requirements
The credential used for scanning must be a domain account with read access to the directory.
Minimum permissions:
- Member of Domain Users (default read access is sufficient for most data)
- Read access to the domain partition in Active Directory
For more comprehensive discovery (including all attributes and nested groups), a standard domain user account is typically sufficient. No elevated privileges are required.
Network Requirements
| Requirement | Detail |
|---|---|
| DNS resolution | The domain controller hostname must resolve from the OrbisID server (or On-Premise Agent) |
| Port 389 or 636 | Must be accessible from the OrbisID server or agent |
| LDAPS certificate | If using LDAPS (port 636), the domain controller certificate must be trusted |
Configuration Steps
- Navigate to Systems in the sidebar
- Click Add System
- Fill in the fields:
| Field | Value |
|---|---|
| Name | Descriptive name (e.g., corp.example.com) |
| Hostname / IP | FQDN or IP of the domain controller |
| Port | 389 (LDAP) or 636 (LDAPS) |
| OS Type | Active Directory |
| System Type | Directory Service |
| Credential | A domain account with directory read access |
- Click Test Connection to verify connectivity and authentication
- Click Save
Use LDAPS (port 636) in production environments to encrypt credentials in transit. If the domain controller uses an internal CA, ensure the CA certificate is trusted by the OrbisID server.
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|---|---|
Connection test fails with LDAP: error code 49 | Invalid username or password | Verify the credential is correct and the account is not locked |
Connection test fails with Connection refused | Port blocked or wrong hostname | Check network connectivity and firewall rules on port 389/636 |
| Connection test fails with certificate error | LDAPS certificate not trusted | Install the domain CA certificate on the OrbisID host or switch to LDAP for testing |
| Scan completes but no accounts found | Incorrect base DN or restricted account | Verify the credential has read access; check LDAP base DN configuration |
| Missing group memberships | Incomplete traversal | Nested group resolution requires read access to all referenced groups |