
LDAP
Directory Services- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
The LDAP Connector integrates with LDAP-compliant directory services, including Microsoft Active Directory, to synchronize identity and infrastructure data into the Brinqa platform. It retrieves users, computers, groups, printers, sites, and subnets using the LDAP protocol with support for SSL/TLS, StartTLS, and paged search results.
Data retrieved from LDAPโ
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| ๐ค User | Yes | Person |
| ๐ฅ๏ธ Computer | Yes | Host |
| ๐ฅ Group | Yes | ๐ฅ Group |
| ๐จ๏ธ Printer | Yes | โ |
| ๐ข Site | Yes | โ |
| ๐ Subnet | Yes | โ |
Model relationshipsโ
For detailed steps on how to view the data retrieved from LDAP in the Brinqa Platform, see How to view your data.
Connection settingsโ
When setting up a data integration, select LDAP from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| Hostname | Yes | my.ldap.server | The name or IP address of the host where the LDAP server is running. |
| Port | Yes | 389 | TCP/IP port number used to communicate with the LDAP server. The default is 389. |
| Principal | Yes | cn=manager | The distinguished name with which to authenticate to the LDAP server. |
| Password | Yes | โ | Password for the principal. |
| Base context | Yes | ou=Acme,dc=example,dc=com | Starting point in the LDAP tree that will be used when searching the tree. Searches are performed when discovering users from the LDAP server. |
| Page size | Yes | 500 | Size of the batch of objects to process during search. This attribute must be less than the maximum search limit for the target directory. |
| User object classes | No | โ | Specifies additional LDAP object classes to include when retrieving attributes for entries of the person object class. This allows access to custom attributes defined through schema extensions. |
| SSL/TLS | No | false | Use secure connection |
| Use STARTTLS | No | false | Upgrade a non-encrypted connection by wrapping it with SSL/TLS. |
| SSL/TLS protocol | No | TLSv1.2 | Specify one of these acceptable SSL/TLS protocol values: TLSv1, TLSv1.1, TLSv1.2 |
| Trust all | No | false | Trust all hostnames and certificates. |
How to obtain LDAP credentials
The connector uses the LDAP protocol (not HTTP/REST), so it does not exchange an OAuth/bearer token over an HTTP endpoint. Authentication is performed via Simple Bind (principal DN + password) on a TCP connection to the directory server. Because there is no HTTP token exchange, the standard request-endpoint / request-headers / request-body / token-response tables are not applicable.
Obtain the required credentials (host, port, principal, credentials, baseContext, pageSize) from your LDAP administrator or the LDAP admin console, then enter them in the connection settings above.
Attribute mappingsโ
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
๐ค User
| Source Field Name | SDM Attribute |
|---|---|
(constant) | CATEGORIES |
(schema-declared) | STATUS |
department | DEPARTMENT |
| description / fallback to NAME | DESCRIPTION |
| displayName / cn / name / userPrincipalName / sAMAccountName | NAME |
distinguishedName (normalized) | UID |
givenName | FIRST_NAME |
| homePhone, telephoneNumber, otherTelephone, mobile, otherMobile, pager, otherPager, facsimileTelephoneNumber, otherFacsimileTelephoneNumber, ipPhone, otherIpPhone | PHONE_NUMBERS |
mail | EMAILS |
manager | REPORTS_TO |
manager | MANAGERS |
sAMAccountName | USERNAME |
sn | LAST_NAME |
title | JOB_TITLE |
whenChanged | SOURCE_LAST_MODIFIED |
whenCreated | SOURCE_CREATED_DATE |
๐ฅ๏ธ Computer
| Source Field Name | SDM Attribute |
|---|---|
(constant) | CATEGORIES |
| description / operatingSystem / fallback to NAME | DESCRIPTION |
| displayName / dNSHostName / name / cn / distinguishedName | NAME |
distinguishedName (normalized) | UID |
dNSHostName | DNS_NAMES |
dNSHostName (filtered) | PRIVATE_DNS_NAMES |
dNSHostName (filtered) | PUBLIC_DNS_NAMES |
dNSHostName (normalized) | HOSTNAMES |
| operatingSystem + operatingSystemVersion | OPERATING_SYSTEM |
whenChanged | SOURCE_LAST_MODIFIED |
whenCreated | SOURCE_CREATED_DATE |
๐ฅ Group
| Source Field Name | SDM Attribute |
|---|---|
distinguishedName (normalized) | UID |
whenChanged | SOURCE_LAST_MODIFIED |
whenCreated | SOURCE_CREATED_DATE |
๐จ๏ธ Printer
| Source Field Name | SDM Attribute |
|---|---|
distinguishedName (normalized) | UID |
whenChanged | SOURCE_LAST_MODIFIED |
whenCreated | SOURCE_CREATED_DATE |
๐ข Site
| Source Field Name | SDM Attribute |
|---|---|
distinguishedName (normalized) | UID |
whenChanged | SOURCE_LAST_MODIFIED |
whenCreated | SOURCE_CREATED_DATE |
๐ Subnet
| Source Field Name | SDM Attribute |
|---|---|
distinguishedName (normalized) | UID |
whenChanged | SOURCE_LAST_MODIFIED |
whenCreated | SOURCE_CREATED_DATE |
Operations & APIโ
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
๐ค User
Operation options
| Key | Description |
|---|---|
context | Overrides the LDAP search base for this operation (defaults to the configured Base context). |
filter | A native LDAP filter string that is AND-combined with the model's object-class filter. |
pageSize | Overrides the configured Page size for this operation. |
Delta sync
Not supported. The connector performs a full paged search of matching person/user entries on every run and applies no incremental date filter. Source timestamps whenCreated and whenChanged are surfaced as SOURCE_CREATED_DATE / SOURCE_LAST_MODIFIED.
Data source
| Property | Value |
|---|---|
| Protocol | LDAP (UnboundID LDAP SDK โ not HTTP/REST) |
| Operation | LDAP Search request |
| Search Base | baseContext config property (overridable via context option) |
| Scope | SUB (subtree) |
| Filter | (&(|(objectClass=person)(objectClass=user))(!(objectClass=computer))) |
| Requested Attributes | All entry attributes; mapped from the LDAP schema for inetOrgPerson, user, securityPrincipal (plus any additionalUserObjectClasses) |
| Pagination | Simple Paged Results Control; page size from pageSize config |
๐ฅ๏ธ Computer
Operation options
| Key | Description |
|---|---|
context | Overrides the LDAP search base for this operation (defaults to the configured Base context). |
filter | A native LDAP filter string that is AND-combined with the model's object-class filter. |
pageSize | Overrides the configured Page size for this operation. |
Delta sync
Not supported. The connector performs a full paged search of computer entries on every run and applies no incremental date filter. Source timestamps whenCreated and whenChanged are surfaced as SOURCE_CREATED_DATE / SOURCE_LAST_MODIFIED.
Data source
| Property | Value |
|---|---|
| Protocol | LDAP (UnboundID LDAP SDK โ not HTTP/REST) |
| Operation | LDAP Search request |
| Search Base | baseContext config property (overridable via context option) |
| Scope | SUB (subtree) |
| Filter | (objectClass=computer) |
| Requested Attributes | All entry attributes; mapped from the LDAP schema for computer object class |
| Pagination | Simple Paged Results Control; page size from pageSize config |
๐ฅ Group
Operation options
| Key | Description |
|---|---|
context | Overrides the LDAP search base for this operation (defaults to the configured Base context). |
filter | A native LDAP filter string that is AND-combined with the model's object-class filter. |
pageSize | Overrides the configured Page size for this operation. |
Delta sync
Not supported. The connector performs a full paged search of group entries on every run and applies no incremental date filter. Source timestamps whenCreated and whenChanged are surfaced as SOURCE_CREATED_DATE / SOURCE_LAST_MODIFIED.
Data source
| Property | Value |
|---|---|
| Protocol | LDAP (UnboundID LDAP SDK โ not HTTP/REST) |
| Operation | LDAP Search request |
| Search Base | baseContext config property (overridable via context option) |
| Scope | SUB (subtree) |
| Filter | (objectClass=group) |
| Requested Attributes | All entry attributes; mapped from the LDAP schema for group object class |
| Pagination | Simple Paged Results Control; page size from pageSize config |
๐จ๏ธ Printer
Operation options
| Key | Description |
|---|---|
context | Overrides the LDAP search base for this operation (defaults to the configured Base context). |
filter | A native LDAP filter string that is AND-combined with the model's object-class filter. |
pageSize | Overrides the configured Page size for this operation. |
Delta sync
Not supported. The connector performs a full paged search of printqueue entries on every run and applies no incremental date filter. Source timestamps whenCreated and whenChanged are surfaced as SOURCE_CREATED_DATE / SOURCE_LAST_MODIFIED.
Data source
| Property | Value |
|---|---|
| Protocol | LDAP (UnboundID LDAP SDK โ not HTTP/REST) |
| Operation | LDAP Search request |
| Search Base | baseContext config property (overridable via context option) |
| Scope | SUB (subtree) |
| Filter | (objectClass=printqueue) |
| Requested Attributes | All entry attributes; mapped from the LDAP schema for printqueue object class |
| Pagination | Simple Paged Results Control; page size from pageSize config |
๐ข Site
Operation options
| Key | Description |
|---|---|
context | Overrides the LDAP search base for this operation (defaults to the configured Base context; if it does not contain CN=Configuration, the connector prepends it automatically). |
filter | A native LDAP filter string that is AND-combined with the model's object-class filter. |
pageSize | Overrides the configured Page size for this operation. |
Delta sync
Not supported. The connector performs a full paged search of site entries on every run and applies no incremental date filter. Source timestamps whenCreated and whenChanged are surfaced as SOURCE_CREATED_DATE / SOURCE_LAST_MODIFIED.
Data source
| Property | Value |
|---|---|
| Protocol | LDAP (UnboundID LDAP SDK โ not HTTP/REST) |
| Operation | LDAP Search request |
| Search Base | baseContext config property; if it does not contain cn=configuration, the connector prepends CN=Configuration, (overridable via context option) |
| Scope | SUB (subtree) |
| Filter | (objectClass=site) |
| Requested Attributes | All entry attributes; mapped from the LDAP schema for site object class |
| Pagination | Simple Paged Results Control; page size from pageSize config |
๐ Subnet
Operation options
| Key | Description |
|---|---|
context | Overrides the LDAP search base for this operation (defaults to the configured Base context; if it does not contain CN=Configuration, the connector prepends it automatically). |
filter | A native LDAP filter string that is AND-combined with the model's object-class filter. |
pageSize | Overrides the configured Page size for this operation. |
Delta sync
Not supported. The connector performs a full paged search of subnet entries on every run and applies no incremental date filter. Source timestamps whenCreated and whenChanged are surfaced as SOURCE_CREATED_DATE / SOURCE_LAST_MODIFIED.
Data source
| Property | Value |
|---|---|
| Protocol | LDAP (UnboundID LDAP SDK โ not HTTP/REST) |
| Operation | LDAP Search request |
| Search Base | baseContext config property; if it does not contain cn=configuration, the connector prepends CN=Configuration, (overridable via context option) |
| Scope | SUB (subtree) |
| Filter | (objectClass=subnet) |
| Requested Attributes | All entry attributes; mapped from the LDAP schema for subnet object class |
| Pagination | Simple Paged Results Control; page size from pageSize config |
Changelogโ
The LDAP connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.1.12 | Bug Fixes - Fixed an issue where Active Directory date/time attributes with sentinel values (e.g., "not set" or "never expires") could produce invalid or out-of-range timestamps, causing sync failures due to Parquet timestamp overflow errors. AD sentinel values ( 0, -1, Long.MAX_VALUE) and dates outside 1970โ9999 are now returned as null instead of unreasonable far-future dates. Improvements - Improved Active Directory datetime attribute detection to also match by attribute name, ensuring fields like accountExpires are correctly identified as timestamps regardless of the LDAP server's OID configuration. - Added detailed logging to Windows FILETIME conversion with warn-level messages when sentinel values or out-of-range timestamps are dropped. | N/A |
| 3.1.11 | Improvements - Added detailed Data Source documentation for each model, describing the LDAP search base, filter, scope, requested attributes, and pagination strategy used during synchronization. | N/A |
| 3.1.10 | Improvements - Upgraded internal framework to the latest stable versions for improved reliability, security patches, and alignment with the rest of the connector platform. | N/A |
| 3.1.9 | Improvements - Changed schema initialization in LdapModel from eager (constructor) to lazy with synchronized access, deferring the LDAP connection until the schema is first requested. - Made schema and attributeInfoMap fields non-final to support lazy initialization. - getAttributeInfoMap() now calls schema() internally to ensure lazy initialization has occurred. - Improved unsupported attribute type log message to include the syntax OID ( attributeType={syntaxOID}) alongside the attribute name. Fixed - Fixed NullPointerException in User.getUserCustomObjectClasses() when additionalUserObjectClasses configuration property is blank or null โ now returns Collections.emptyList() instead of attempting to split a blank string. | N/A |
| 3.1.8 | Added - New configuration property additionalUserObjectClasses that allows specifying additional LDAP object classes for retrieving custom user attributes defined through schema extensions. - Display and help text for the new property in Messages.properties. Changed - Refactored getUserCustomObjectClasses to return a List instead of an array. - Removed the flags attribute from the additional user object classes configuration property. Fixed - Updated help text for the additional user object classes property to clarify its purpose. - Fixed grammar error in help text for additional user object classes in Messages.properties. | N/A |
| 3.1.7 | New Features Broader Person Coverage - The User sync now includes standard LDAP person object classes ( person / inetOrgPerson) in addition to Active Directory user accounts. Human users from non-Active-Directory directories โ and additional person records previously skipped โ are now retrieved. Computer accounts continue to be excluded from the User model. | N/A |
| 3.1.6 | Improvements - Hardened the handling of multi-valued and single-valued attribute values during synchronization for more consistent, reliable attribute population. | N/A |
| 3.1.5 | Improvements - Attribute matching is now case-insensitive, so directory attributes are mapped reliably regardless of the casing returned by the server. - Schema is now loaded once and reused, reducing redundant directory lookups during synchronization. | N/A |
| 3.1.4 | Bug Fixes Active Directory Timestamp Conversion - Corrected the conversion of Active Directory time attributes (such as last logon and password-last-set). Previously these timestamps were computed incorrectly and produced invalid date values; they now resolve to the correct date and time. | โข User / Computer: Date attributes sourced from Active Directory time fields now resolve to corrected values. Re-sync the connector so existing records are refreshed with the corrected timestamps. |
| 3.1.3 | Bug Fixes - Fixed an error that could occur during synchronization when an expected attribute was absent from a directory entry. Missing attributes are now skipped safely instead of interrupting the sync. | N/A |
| 3.1.2 | Improvements Computer Host Attributes - Consolidated computer host and DNS data onto the multi-valued hostname and public DNS name attributes, removing the deprecated single-value equivalents. | โข Computer: The deprecated single-value hostname and public DNS name attributes (and their use as identifiers) have been removed in favor of the multi-valued equivalents. Re-sync the connector so Computer assets are rematched on the current identifiers. |
| 3.1.1 | New Features Trust All Hostnames and Certificates - Added a new "Trust all" configuration option that allows the connector to trust all hostnames and certificates. This eases connectivity to directory servers using self-signed or otherwise untrusted certificates. | N/A |
| 3.1.0 | New Features Active Directory Support - Added dedicated support for Microsoft Active Directory, including correct interpretation of Active Directory date/time attributes. Improvements - Reworked the directory connectivity and schema-discovery layer for more robust attribute retrieval across directory implementations. Dependency Upgrades - Upgraded internal framework and model libraries to the latest stable versions for improved reliability, security patches, and alignment with the rest of the connector platform. | N/A |
| 3.0.9 | Improvements - Custom attributes defined through directory content rules (DIT content rules), including those contributed by auxiliary object classes, are now discovered and synchronized. This surfaces additional schema-extended attributes that were previously not retrieved. | N/A |
| 3.0.8 | Improvements - Removed the fixed per-operation timeout so long-running directory searches against large or slow directories are no longer cut short. | N/A |
| 3.0.7 | Improvements - Removed the fixed connection timeout to improve reliability when establishing connections to directory servers under varying network conditions. | N/A |
| 3.0.6 | Improvements Dependency Upgrades - Upgraded internal framework and model libraries to the latest stable versions for improved reliability, security patches, and alignment with the rest of the connector platform. | N/A |
| 3.0.5 | Improvements Dependency Upgrades - Upgraded internal framework and model libraries to the latest stable versions for improved reliability, security patches, and alignment with the rest of the connector platform. | N/A |
| 3.0.4 | Improvements - Added detailed error logging for connection, schema-retrieval, test, and search failures to make troubleshooting connectivity and synchronization issues easier. | N/A |
| 3.0.3 | Improvements Dependency Upgrades - Upgraded internal framework and model libraries to the latest stable versions for improved reliability, security patches, and alignment with the rest of the connector platform. | N/A |
| 3.0.2 | Improvements - Added connection and operation timeouts to directory connections so the connector fails fast and predictably when a directory server is unreachable or unresponsive. | N/A |
| 3.0.1 | Improvements - Internal code cleanup with no change to connector behavior. | N/A |
| 3.0.0 | Overview The LDAP connector integrates with LDAP-compliant directory services, including Microsoft Active Directory, to synchronize identity and infrastructure data into the Brinqa platform. It retrieves users, computers, groups, printers, sites, and subnets over the LDAP protocol with support for SSL/TLS, StartTLS, and paged search. Category: Directory Services Models | N/A |