LDAP Connector

LDAP Connector

SailPoint’s LDAP connector offers a generic solution for managing access for LDAP accounts and groups across different flavors for LDAP.


Support Level: SailPoint Delivered

Connectors developed by SailPoint's Engineering team and supported under annual SailPoint support and maintenance. Reach out to SailPoint support for assistance.


Supported Use Cases

  • Full Account Aggregation
  • Single Account Aggregation
  • Delta Account Aggregation
  • Full Entitlement Aggregation
  • Full Group Aggregation
  • Single Group Aggregation
  • Delta Group Aggregation
  • Create Account Provisioning
  • Update Account Provisioning
  • Delete Account Provisioning*
  • Create Group Provisioning*
  • Update Group Provisioning*
  • Delete Group Provisioning*
  • Enable / Disable Account Provisioning
  • Unlock Account Provisioning
  • Change Account Password
  • Add Entitlement(s)
  • Remove Entitlement(s)

*This feature is currently supported only with the IdentityIQ platform

Supported Versions

  • IBM Security Directory Server (formally known as - Tivoli Directory Server) version 6.4, 6
  • Novell eDirectory (NetIQ) version 9.1, 9.0, 8.
  • Microsoft ADAM 2019, 2016, 2012 R2, 2012
  • Oracle Internet Directory version 12c and 11gR2
  • OpenLDAP version 2.5, 2.4, 2
  • SunOne ODSEE (Deprecated, EOL July 2022) 


Related Documentation

IBM Tivoli IDN Doc for IBM Tivoli IIQ Docs
MicroFocus Novell IDN Doc for MicroFocus Novell
Microsoft Lightweight Directory Server (ADAM) IDN Doc for Microsoft Lightweight Directory Server
Oracle Internet Directory IDN Doc for Oracle Internet Directory
OpenLDAP IDN Doc for OpenLDAP
SunOne ODSEE IDN Doc for SunOne ODSEE
Other Connectors All Supported IDN Connectors  


Contact Us

SailPoint Support

SailPoint Professional Services

Labels (1)

@neelam_futane  - The SailPoint LDAP Connector Guide for 8.1 Patch 2 mentions support for Unlock for Novell eDirectory, Oracle Internet Directory, IBM Tivoli, and SunOne-Direct. However, in "Attributes for Unlock Feature," for the lockAttr and unlockAttr it does not provide the required values for each, instead referencing "Depend on LDAP type OR any custom attributes set in customer env for lock"

Is there a reference/guide of a list of attributes required for each LDAP type?


LDAP connector provides the flexibility to configure the attribute name and its respective value for lock/unlock operation .

This flexibility is mainly given for below purposes.

1.These attributes names and values differs across various LDAP flavours

2.Also user can configure customised account attribute if configured in account.

We need to mention attribute name and its value against below keys.

<entry key =“lockAttr” value=" Attribute Name "/>

<entry key =“lockVal” value=" Attribute value ”/>


e.g IBM 

For Lock:

<entry key =“lockAttr” value=“ ibm-pwdAccountLocked“/>

<entry key =“lockVal” value=“true”/>

For unlock:

<entry key =“lockAttr” value=“ ibm-pwdAccountLocked“/>

<entry key =“lockVal” value=“False”/>

This we will update in the documentation.


Is there a reference/guide of a list of attributes required for each LDAP type?

Currently we don’t have such documentation, would like to know which LDAP flavour you are looking for?

Hi @Ashwin_Tamhane ,

Apologies, I missed the notification of your reply. 

I was specifically looking for IBM Tivoli but adding an appendix of the standard values for each of the specific attributes for each LDAP flavor in a future documentation update would be helpful for all end users



What is the logger name, if we have to enable debug?
like openconnector.connector.GoogleAppsDirect

Version history
Revision #:
15 of 15
Last update:
‎Jul 25, 2022 03:14 PM
Updated by: