Console terminology: In the Maverics Console, this section is called
Identity Fabric. The YAML configuration uses the
connectors key to define
identity provider integrations.Overview
The Active Directory connector (type: activedirectory) uses the LDAP protocol internally to communicate with AD domain controllers. It shares the same configuration field set as the LDAP connector with defaults and conventions optimized for Active Directory environments. The key difference is the type value, which determines internal handling specific to Active Directory.
Use Cases
- On-premises AD SSO migration — Modernize authentication for applications that currently rely on AD domain credentials, Kerberos, or NTLM
- Hybrid AD/cloud identity — Combine Active Directory authentication with cloud identity providers using the Continuity connector for failover
- Attribute lookup from AD — Retrieve AD user attributes (display name, group memberships, email) for header injection into legacy applications
Configuration
- Console UI
- Configuration
Console UI documentation is coming soon. This section will walk you
through configuring this component using the Maverics Console’s visual
interface, including step-by-step screenshots and field descriptions.
Configuration Reference
The Active Directory connector uses the same field set as the LDAP connector. All fields documented on the LDAP connector page apply totype: activedirectory.
| Key | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Unique connector identifier referenced by app policies and attribute providers |
type | string | Yes | Must be activedirectory |
url | string[] | Yes | AD domain controller URLs — supports ldap:// (port 389) and ldaps:// (port 636); multiple URLs enable domain controller failover |
serviceAccountUsername | string | Yes | Bind DN for the service account (e.g., cn=svc-maverics,ou=Service Accounts,dc=corp,dc=example,dc=com) |
serviceAccountPassword | string | Yes | Service account password — use secret reference syntax <namespace.key> |
baseDN | string | Yes | Base DN for LDAP searches (e.g., dc=corp,dc=example,dc=com) |
usernameSearchKey | string | No | LDAP attribute used for username lookup — use sAMAccountName for AD environments |
userRDNKey | string | No | Relative Distinguished Name key for user entries |
enableAuthentication | boolean | No | Enable LDAP bind authentication for end users |
loginUrl | string | No | URL for the LDAP login form |
authenticationSearchScope | string | No | LDAP search scope for authentication queries |
userAttributes | string[] | No | AD attributes to retrieve during searches (e.g., ["sAMAccountName", "mail", "displayName", "memberOf"]) |
objectClasses | string[] | No | Object classes for the LDAP search filter |
attributeMapping | map | No | Map Orchestrator attribute names to AD attribute names (e.g., email: "mail") |
attributeDelimiter | string | No | Delimiter for multi-valued attributes (default: ",") |
groupBaseDN | string | No | Base DN for group searches |
groupSearchFilter | string | No | LDAP filter for group membership queries |
customLogin.templateFile | string | No | Path to a custom HTML login form template |
tls | string | No | Named TLS profile for AD connection |
healthCheck | object | No | Health check monitoring configuration (see Identity Fabric Configuration Reference) |
The
activedirectory connector type uses the LDAP protocol internally. It shares the same configuration fields as the LDAP connector. The key difference is the type value, which determines internal handling specific to Active Directory environments.AD-Specific Notes
- Use
sAMAccountNameas theusernameSearchKey— In Active Directory environments, users typically log in with theirsAMAccountName(e.g.,jsmith), not theuidattribute used by generic LDAP directories. - Multiple
urlentries support domain controller failover — List multiple domain controller URLs to ensure authentication continues if a DC becomes unavailable. The Orchestrator will try each URL in order. - For LDAPS, ensure the TLS profile includes AD’s root CA — Active Directory Certificate Services (AD CS) often uses an internal CA. The TLS profile referenced by the
tlsfield must include this CA certificate viacaFile. - Common AD attributes —
sAMAccountName(login name),mail(email),displayName(full name),memberOf(group memberships),department,title,manager.
Troubleshooting
- Service account permissions — The service account must have read access to the
baseDNsubtree. In AD, this typically means the account needs “Read all properties” permission on user objects in the target OU. - LDAPS certificate trust — AD domain controllers use certificates issued by AD CS. Export the root CA certificate and include it in the TLS profile. Without it, LDAPS connections will fail with certificate verification errors.
- Distinguished Name format — AD uses a specific DN format with OUs (e.g.,
cn=svc-maverics,ou=Service Accounts,dc=corp,dc=example,dc=com). Verify the exact DN usingdsqueryor Active Directory Users and Computers. - Group membership depth — The
memberOfattribute only shows direct group memberships, not nested groups. For nested group resolution, consider using a group search filter or a Service Extension.