Alert EnterpriseWiki

Active Directory

Microsoft·AE_HSc_ActiveDirectoryConnectorGuide

Data SourceactiveActive Directory on Windows Server (all currently-supported versions)
Transports
ldap · ldaps
Direction
bidirectional
Authentication
LDAP bind (service account)
Last updated
2024-12-24
Compare with another connector →Open in composer →

Overview

The Active Directory connector integrates AlertEnterprise with Microsoft Active Directory via LDAP — the long-standing on-prem directory service that remains the source-of-record for users, groups, and group memberships in most enterprise IT environments (especially financial services).

Topology: AlertEnterprise's Alert Connector Framework (ACF) drives the LDAP Adapter, which issues TCP/LDAP(S) binds + queries against the customer's Active Directory deployment. An optional .NET Web Services Agent is required if the deployment wants to capture user/group changes (uses Active Directory's repadmin tool) — without it, AD reconciliation falls back to full-population scans.

Authentication uses LDAP bind credentials (service account DN + password) over LDAPS (TLS-protected LDAP) in production.

Architecture

Composed from this connector's actors + edges. Trust zones are color-coded; trust crossings render as thicker lines.

Composing diagram — running ELK layout5 actors · 5 edges

Authentication

1 method supported

LDAP bind (service account)
ldap-bind

The LDAP Adapter binds to AD using a service account DN + password. LDAPS (LDAP over TLS) is strongly recommended in production. The service account requires sufficient permissions to read + modify users and group memberships under the configured base DN.

Credential storage
AE connector configuration (encrypted at rest)

Prerequisites

Everything that must be in place for this connector to work, with the owner who's responsible.

LDAP / LDAPS network access to AD domain controllers

customer

The AE host must have network reachability to one or more AD domain controllers over LDAP port 389 (plaintext, dev only) or LDAPS port 636 (TLS, production).

AD service account with appropriate permissions

customer

Service account with read + write permissions on the configured base DN. For group membership changes the account needs delegated Write Members on the target group OUs.

.NET Web Services Agent (optional)

ae

Required only if the deployment wants incremental reconciliation of user/group changes via repadmin. Without it, AD reconciliation runs as full-population scans (acceptable for small populations; impractical at scale).

Known limitations

Documented constraints to set customer expectations before deployment.

Incremental reconciliation requires the .NET Web Services Agent

important

The LDAP Adapter alone cannot detect incremental changes — it can only run full-population queries. Enterprise-scale deployments (10k+ users) typically need the .NET Agent to use repadmin change detection.

Data fields

3 fields mapped between AE Guardian and the vendor system.

AE fieldVendor fieldDescriptionDirectionRequired
UserAD User ObjectUser objects under the configured base DN. Connector reads + writes user attributes per the configured schema mapping.bidirectionalyes
GroupAD Group ObjectSecurity groups and distribution groups. Connector reads group definitions and manages memberships.bidirectionalyes
Group MembershipAD member / memberOfUser-to-group memberships. Connector adds + removes memberships during provisioning.bidirectionalyes
Source materials
  • src/connectors/active-directory/source.pdf p7 — Chapter 2, Connector Architecture
  • src/connectors/active-directory/source.pdf p22 — Chapter 5, Security
Verifying access
Desktop only

The AE Mobile Wiki needs a bigger screen.

The diagrams, comparisons, and animated flows aren't built for phones. Open this link on your laptop or desktop browser and you'll see the full reference.

wiki.alertenterprise.app

Same Google sign-in as the AE App Hub — you'll be in once you open it on a larger screen.