Active Directory

The Active Directory connector lets you connect toMicrosoft's Active Directory and perform read, write, and update operations on the Active Directory objects.

Before you begin

Before using the Active Directory connector, do the following tasks:

  • In your Google Cloud project:
    • Ensure that network connectivity is set up. For information about network patterns, seeNetwork connectivity.
    • Grant theroles/connectors.admin IAM role to the user configuring the connector.
    • Grant the following IAM roles to the service account that you want to use for the connector:
      • roles/secretmanager.viewer
      • roles/secretmanager.secretAccessor

      A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs. If you don't have a service account, you must create a service account. The connector and the service account must belong to the same project. For more information, seeCreating a service account.

    • Enable the following services:
      • secretmanager.googleapis.com (Secret Manager API)
      • connectors.googleapis.com (Connectors API)

      To understand how to enable services, seeEnabling services.

    If these services or permissions have not been enabled for your project previously, you are prompted to enable them when configuring the connector.

  • For information about how to install and configure Active Directory, seeActive Directory Installation.

Configure the connector

A connection is specific to a data source. Itmeans that if you have many data sources, you must create a separate connectionfor each data source. To create a connection, do the following:

  1. In theCloud console, go to theIntegration Connectors > Connections page and then select or create a Google Cloud project.

    Go to the Connections page

  2. Click+ CREATE NEW to open theCreate Connection page.
  3. In theLocation section, choose the location for the connection.
    1. Region: Select a location from the drop-down list.

      For the list of all the supported regions, seeLocations.

    2. ClickNEXT.
  4. In theConnection Details section, complete the following:
    1. Connector: SelectActive Directory from the drop down list of available Connectors.
    2. Connector version: Select the Connector version from the drop down list of available versions.
    3. In theConnection Name field, enter a name for the Connection instance.

      Connection names must meet the following criteria:

      • Connection names can use letters, numbers, or hyphens.
      • Letters must be lower-case.
      • Connection names must begin with a letter and end with a letter or number.
      • Connection names cannot exceed 49 characters.
    4. Optionally, enter aDescription for the connection instance.
    5. Optionally, enableCloud logging, and then select a log level. By default, the log level is set toError.
    6. Service Account: Select a service account that has therequired roles.
    7. Optionally, configure theConnection node settings:

      • Minimum number of nodes: Enter the minimum number of connection nodes.
      • Maximum number of nodes: Enter the maximum number of connection nodes.

      A node is a unit (or replica) of a connection that processes transactions. More nodes are required to process more transactions for a connection and conversely, fewer nodes are required to process fewer transactions. To understand how the nodes affect your connector pricing, see Pricing for connection nodes. If you don't enter any values, by default the minimum nodes are set to 2 (for better availability) and the maximum nodes are set to 50.

      8. Note: You can customize the connection node values only if you are a Pay-as-you-go customer.
    8. Base DN: The base portion of the distinguished name, used for limiting results to specific subtrees.
    9. Auth Mechanism: The authentication mechanism to be used when connecting to the Active Directory server.
    10. Follow Referrals: Whether or not to follow referrals returned by the Active Directory server.
    11. Friendly GUID: Whether to return GUID attribute values in a human readable format.
    12. Friendly SID: Whether to return SID attribute values in a human readable format.
    13. LDAP Version: The LDAP version used to connect to and communicate with the server.
    14. Scope: Whether to limit the scope of the search to the whole subtree (BaseDN and all of its descendants), a single level (BaseDN and its direct descendants), or the base object (BaseDN only).
    15. Optionally, click+ ADD LABEL to add a label to the Connection in the form of a key/value pair.
    16. ClickNEXT.
  5. In theDestinations section, enter details of the remote host (backend system) you want to connect to.
    1. Destination Type: Select aDestination Type.

      If you want to establish a public connection to your backend systems with additional security, you can considerconfiguring static outbound IP addresses for your connections, and then configure your firewall rules to allowlist only the specific static IP addresses.

      To enter additional destinations, click+ADD DESTINATION.

    2. ClickNEXT.
  6. In theAuthentication section, enter the authentication details.
    1. Select anAuthentication type and enter the relevant details.

      The following authentication types are supported by the Active Directory connection:

      • Username and password

      2. To understand how to configure these authentication types, seeConfigure authentication.

    2. ClickNEXT.
  7. Review: Review your connection and authentication details.
  8. ClickCreate.

Configure authentication

Enter the details based on the authentication you want to use.

  • Username and password
    • Username: Username for connector
    • Password: Secret Manager Secret containing the password associated with the connector.

Connection configuration samples

This section lists the sample values for the various fields that you configure when you create an Active Directory connection.

Username password connection type

Field nameDetails
Locationus-central1
ConnectorActive Directory
Connector version1
Connection Nameactive-directory-google-cloud-vm-users-conn
Enable Cloud LoggingYes
Service AccountSERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com
Base DNBASE_DN
Auth MechanismSIMPLE
LDAP Version3
ScopeWHOLESUBTREE
Verbosity level5
Minimum number of nodes2
Maximum number of nodes50
Destination Type(Server)Host address
Host address192.0.2.0
PortPORT
UsernameUSERNAME
PasswordPASSWORD
Secret version1

SSL connection type

Field nameDetails
Locationus-central1
ConnectorActive Directory
Connector version1
Connection Nameactive-directory-google-cloud-vm-ssl-conn
Enable Cloud LoggingYes
Service AccountSERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com
Base DNBASE_DN
Auth MechanismSIMPLE
LDAP Version3
ScopeWHOLESUBTREE
Verbosity level5
Minimum number of nodes2
Maximum number of nodes50
Enable SSLYes
Trust store Private ConnectionYes
Destination Type(Server)Host address
Host address192.0.2.0
PortPORT
UsernameUSERNAME
PasswordPASSWORD
Secret version2

Entities, operations, and actions

All the Integration Connectors provide a layer of abstraction for the objects ofthe connected application. You can access an application's objects only through this abstraction. The abstraction is exposed to you as entities, operations, and actions.

Note: You can view the entities, operations, and actions of a connector in theConnectors task.
  • Entity:An entity can be thought of as an object, or a collection of properties, in theconnected application or service. The definition of an entity differs from a connector to a connector. For example, in a database connector, tables are the entities, in a file server connector, folders are the entities, and in a messaging system connector, queues are the entities.

    However, it is possible that a connector doesn't support or have any entities, in which case theEntities list will be empty.

  • Operation:An operation is the activity that you can perform on an entity. You can performany of the following operations on an entity:

    Selecting an entity from the available list, generates a list ofoperations available for the entity. For a detailed description of the operations, see the Connectors task'sentity operations. However, if a connector doesn't support any of the entity operations, such unsupported operations aren't listed in theOperations list.

  • Action:An action is a first class function that is made available to the integrationthrough the connector interface. An action lets you make changes to an entity or entities, and vary from connector to connector. Normally, an action will have some input parameters, and an output parameter. However, it is possible that a connector doesn't support any action, in which case theActions list will be empty.
Note:All entities and actions will have a schema associated with them. For example, an action schema will have the parameter details such as; the parameternames, and its corresponding data type. The schema (metadata) for entities and actions is fetched by the connection atruntime from your backend. If there are any updates to the schema, such updates won't be automatically reflected in your existing connections; you must manually refresh the schema. To refreshthe schema for a connection, open theConnection details page of the connection, and then clickRefresh connection schema.

System limitations

The Active Directory connector can process 4 transactions per second, pernode,andthrottles any transactions beyond this limit. By default, Integration Connectors allocates 2 nodes (for better availability) for a connection.

For information on the limits applicable to Integration Connectors, seeLimits.

Note: The number ofIntegration Connectors nodes will autoscale dynamically based on your usage. However, if you want to reserve capacity for large volumes without waiting for autoscaling, you can adjust the minimum node value for a connection. More nodes are required to process more transactions for a connection. Conversely, fewer nodes are required if a connection processes fewer transactions. To configure the node values, do the following:
  • If you are a pay-as-you-go customer, configure the minimum and maximum node value in the edit connection page.
  • If you are a subscription based customer,contact support.

The maximum transactions that a node can handle depends on various factors. So, before adjusting the minimum nodes for better throughput, it is recommended you check if your backend systems are set up optimally to handle the required traffic.

Actions

This section lists the actions supported by the connector. To understand how to configure the actions, seeAction examples.

Note: The results of all the actions will be available as aJSON response in theConnectors task'sconnectorOutputPayloadresponse parameter after you run your integration.

MoveToDN action

This action moves an object from one DN to another.

Input parameters of the MoveToDN action

Parameter nameData typeRequiredDescription
DNStringYesThe current DN of the object to be moved on the server (for example, cn=Bob F,ou=Employees,dc=Domain).
NewParentDNStringYesThe new parent DN of the object(for example ou=Test Org,dc=Domain).

For example on how to configure theMoveToDN action,seeAction examples.

GetAttributes action

This action gets attributes of the specified object.

Input parameters of the GetAttributes action

Parameter nameData typeRequiredDescription
DNStringYesDistinguished name of the desired LDAP object. If unspecified, the BaseDN from the connection string will be used.

For example on how to configure theGetAttributes action,seeAction examples.

AddMembersToGroup action

This action adds members to a group.

Input parameters of the AddMembersToGroup action

Parameter nameData typeRequiredDescription
GroupIdStringYesThe GroupId that you want to add the users to. Should be the Id of the Group record.
UserDNsStringYesThe UserDNs aggregate or temp table that contains the DN of the users to add to the Group. Should be the DN of the User record.

For example on how to configure theAddMembersToGroup action,seeAction examples.

RemoveMembersFromGroup action

This action removes members from a group.

Input parameters of the RemoveMembersFromGroup action

Parameter nameData typeRequiredDescription
GroupIdStringYesThe GroupId of the Group you want to remove users from. Should be the Id of the Group record.
UserDNsStringYesThe UserDNs aggregate or temp table that contains the DN of the users to remove from a Group. Should be the DN of the User record.

For example on how to configure theRemoveMembersFromGroup action,seeAction examples.

ResetPassword action

This action resets password.

Input parameters of the ResetPassword action

Parameter nameData typeRequiredDescription
UserStringYesThe DN of the account to be modified on the server (for example, Domain\\BobF or cn=BobF,ou=Employees,dc=Domain)
NewPasswordStringYesThe new password for the user specified by DN.
AdminUserStringYesAn administrator account or DN with which to bind to the server(for example, Domain\\BobF or cn=BobF,ou=Employees,dc=Domain).
AdminPasswordStringYesAn administrator account password used to authenticate to the LDAP server.

For example on how to configure theResetPassword action,seeAction examples.

ChangePassword action

This action changes password.

Input parameters of the ChangePassword action

Parameter nameData typeRequiredDescription
NewPasswordStringYesThe new password for the user specified by DN.

For example on how to configure theChangePassword action,seeAction examples.

Action examples

This section describes how to perform some of the actions in this connector.

Example - Move an object from one DN to another

  1. In theConfigure connector task dialog, clickActions.
  2. Select theMoveToDN action, and then clickDone.
  3. In theTask Input section of theConnectors task, clickconnectorInputPayload and then enter a value similar to the following in theDefault Value field:
    {"NewParentDN": "CN=Users,DC=gcpad,DC=local","DN": "CN=GoogleAdmin,CN=Computers,DC=gcpad,DC=local"}

    4. If the action is successful, theMoveToDN task'sconnectorOutputPayload responseparameter will have a value similar to the following:

    [{"Success": null,"result": "[ok]","modified": "true","rss:title": "The movement was successful.","resultcode": "0"}]

Example - Get attributes of a DN

  1. In theConfigure connector task dialog, clickActions.
  2. Select theGetAttributes action, and then clickDone.
  3. In theTask Input section of theConnectors task, clickconnectorInputPayload and then enter a value similar to the following in theDefault Value field:
    {"DN": "CN=admin,CN=Users,DC=test-ldap,DC=com"}

    4. If the action is successful, theGetAttributes task'sconnectorOutputPayload responseparameter will have a value similar to the following:

    [{"AttributeName": "_op","AttributeValue": "ldapadoGetAttributes"},{"AttributeName": "msds-supportedencryptiontypes","AttributeValue": "24"},{"AttributeName": "usncreated","AttributeValue": "12775"},{"AttributeName": "objectclass","AttributeValue": "organizationalPerson"},{"AttributeName": "objectclass","AttributeValue": "user"},{"AttributeName": "accountexpires","AttributeValue": "9223372036854775807"},{"AttributeName": "name","AttributeValue": "admin"},{"AttributeName": "objectcategory","AttributeValue": "CN=Person,CN=Schema,CN=Configuration,DC=test-ldap,DC=com"},{"AttributeName": null,"AttributeValue": null}]

Example - Add members to a group

  1. In theConfigure connector task dialog, clickActions.
  2. Select theAddMembersToGroup action, and then clickDone.
  3. In theTask Input section of theConnectors task, clickconnectorInputPayload and then enter a value similar to the following in theDefault Value field:
    {"GroupId": "1|CN=GoogleGRP1fa2,CN=Users,DC=gcpad,DC=local","UserDNs": "[{\"DN\":\"CN=GoogleAI,CN=Users,DC=gcpad,DC=local;CN=Guest,CN=Users,DC=gcpad,DC=local\"}]"}

    4. If the action is successful, theAddMembersToGroup task'sconnectorOutputPayload responseparameter will have a value similar to the following:

    [{"Success": "True"}]

Example - Remove members from a group

  1. In theConfigure connector task dialog, clickActions.
  2. Select theRemoveMembersFromGroup action, and then clickDone.
  3. In theTask Input section of theConnectors task, clickconnectorInputPayload and then enter a value similar to the following in theDefault Value field:
    {"GroupId": "1|CN=GoogleGRP1fa2,CN=Users,DC=gcpad,DC=local","UserDNs": "[{\"DN\":\"CN=GoogleAI,CN=Users,DC=gcpad,DC=local;CN=Guest,CN=Users,DC=gcpad,DC=local\"}]"}

    4. If the action is successful, theRemoveMembersFromGroup task'sconnectorOutputPayload responseparameter will have a value similar to the following:

    [{"Success": "True"}]

Example - Reset password

  1. In theConfigure connector task dialog, clickActions.
  2. Select theResetPassword action, and then clickDone.
  3. In theTask Input section of theConnectors task, clickconnectorInputPayload and then enter a value similar to the following in theDefault Value field:
    {"AdminPassword": "XXXX=","User": "CN=GCP_Admin,CN=Users,DC=gcpad,DC=local","NewPassword": "XXXX","AdminUser": "CN=admin,CN=Users,DC=gcpad,DC=local"}

    4. If the action is successful, theResetPassword task'sconnectorOutputPayload responseparameter will have a value similar to the following:

    [{"Success": "true","result": "[ok]","rss:title": "Password modified successfully","resultcode": "0"}]

Example - Change password

  1. In theConfigure connector task dialog, clickActions.
  2. Select theChangePassword action, and then clickDone.
  3. In theTask Input section of theConnectors task, clickconnectorInputPayload and then enter a value similar to the following in theDefault Value field:
    {"NewPassword": "XXXX"}

    4. If the action is successful, theChangePassword task'sconnectorOutputPayload responseparameter will have a value similar to the following:

    [{"Success": "true","result": "[ok]","rss:title": "Password modified successfully.","resultcode": "0"}]

Entity operation examples

This section shows how to perform some of the entity operations in this connector.

Example - List all Users

  1. In theConfigure connector task dialog, clickEntities.
  2. SelectUser from theEntity list.
  3. Select theList operation, and then clickDone.
  4. Optionally, inTask Input section of theConnectors task, you canfilter your result set by specifying afilter clause.Specify the filter clause value always within the single quotes (').

    5. You can perform List operation on the following entities:

    Group, User Membership, Group Membership, OrganizationalPerson, Person, Top, Organization, OrganizationalRole, DomainPolicy, Contact, Computer, DnsNode, SecurityObject, OrganizationalUnit, Domain, and Account

Example - Get a User record

  1. In theConfigure connector task dialog, clickEntities.
  2. SelectUser from theEntity list.
  3. Select theGet operation, and then clickDone.
  4. In theTask Input section of theConnectors task, clickEntityId andthen enter1|CN=Active Directory User,DC=test-ldap,DC=com in theDefault Value field.

    Here,41|CN=Active Directory User,DC=test-ldap,DC=com is a unique record ID in theUser entity.

    5. You can perform Get operation on the following entities:

    Group, User Membership, Group Membership, OrganizationalPerson, Person, Top, SecurityPrincipal, Organization, OrganizationalRole, DomainPolicy, Contact, Computer, DnsNode, SecurityObject, OrganizationalUnit, Domain, and Account

Note:

If your entity has a composite primary key, you can specify afilter clause.

Example - Create a User record

  1. In theConfigure connector task dialog, clickEntities.
  2. SelectUser from theEntity list.
  3. Select theCreate operation, and then clickDone.
  4. In theTask Input section of theConnectors task, clickconnectorInputPayload and then enter a value similar to the following in theDefault Value field:
    {"RDN": "CN= Active Directory User ","ObjectClass": "top;person;organizationalPerson;user"}

    Running this example, returns a response similar to the following in the connectortask'sconnectorOutputPayload output variable:

    {"Id": "1|CN=Administrator,CN=Users,DC=test-ldap,DC=com"}

Example - Create a Computer record

  1. In theConfigure connector task dialog, clickEntities.
  2. SelectComputer from theEntity list.
  3. Select theCreate operation, and then clickDone.
  4. In theData Mapper section of theData Mapping task, clickOpen Data Mapping Editor and then enter a value similar to the following in theInput Value field and choose the EntityId/ConnectorInputPayload as Local variable.
    {"RDN": "CN=DELVM04S03","ObjectClass": "top;person;organizationalPerson;user;computer"}

    If the integration is successful, theComputer task'sconnectorOutputPayload responseparameter will have a value similar to the following:

    {"Id": "1|CN=DELVM04S03,CN=Computers,DC=gcpad,DC=local"}

Example - Create a Group (DomainLocal) record

  1. In theConfigure connector task dialog, clickEntities.
  2. SelectGroup from theEntity list.
  3. Select theCreate operation, and then clickDone.
  4. In theData Mapper section of theData Mapping task, clickOpen Data Mapping Editor and then enter a value similar to the following in theInput Value field and choose the EntityId/ConnectorInputPayload as Local variable.
    {"RDN": "CN=DomainLocala496","ObjectClass": "group","GroupType": "4"}

    If the integration is successful, theGroup task'sconnectorOutputPayload responseparameter will have a value similar to the following:

    {  "Id": "1|CN=DomainLocala496,CN=Users,DC=test-ldap,DC=com"}

Example - Create a Group (Global) record

  1. In theConfigure connector task dialog, clickEntities.
  2. SelectGroup from theEntity list.
  3. Select theCreate operation, and then clickDone.
  4. In theData Mapper section of theData Mapping task, clickOpen Data Mapping Editor and then enter a value similar to the following in theInput Value field and choose the EntityId/ConnectorInputPayload as Local variable.
    {  "RDN": "CN=Globalf862",  "ObjectClass": "group",  "GroupType": "-2147483646"}

    If the integration is successful, theGroup task'sconnectorOutputPayload responseparameter will have a value similar to the following:

    {  "Id": "1|CN=Globalf862,CN=Users,DC=test-ldap,DC=com"}

Example - Create a Group (Universal) record

  1. In theConfigure connector task dialog, clickEntities.
  2. SelectGroup from theEntity list.
  3. Select theCreate operation, and then clickDone.
  4. In theData Mapper section of theData Mapping task, clickOpen Data Mapping Editor and then enter a value similar to the following in theInput Value field and choose the EntityId/ConnectorInputPayload as Local variable.
    {  "RDN": "CN=UniversalGRP20e5",  "ObjectClass": "group",  "GroupType": "8"}

    If the integration is successful, theGroup task'sconnectorOutputPayload responseparameter will have a value similar to the following:

    {  "Id": "1|CN=UniversalGRP20e5,CN=Users,DC=test-ldap,DC=com"}

Example - Create a Group (Universal Security) record

  1. In theConfigure connector task dialog, clickEntities.
  2. SelectGroup from theEntity list.
  3. Select theCreate operation, and then clickDone.
  4. In theData Mapper section of theData Mapping task, clickOpen Data Mapping Editor and then enter a value similar to the following in theInput Value field and choose the EntityId/ConnectorInputPayload as Local variable.
    {  "RDN": "CN=UniversalSecurity3f5a",  "ObjectClass": "group",  "GroupType": "-2147483640"}

    If the integration is successful, theGroup task'sconnectorOutputPayload responseparameter will have a value similar to the following:

    {  "Id": "1|CN=UniversalSecurity3f5a,CN=Users,DC=test-ldap,DC=com"}

Example - Create a OrganizationPerson record

  1. In theConfigure connector task dialog, clickEntities.
  2. SelectOrganizationPerson from theEntity list.
  3. Select theCreate operation, and then clickDone.
  4. In theData Mapper section of theData Mapping task, clickOpen Data Mapping Editor and then enter a value similar to the following in theInput Value field and choose the EntityId/ConnectorInputPayload as Local variable.
    {  "RDN": "CN=OrgP_AD45237",  "ObjectClass": "top;person;organizationalPerson;user;inetOrgPerson"}

    If the integration is successful, theOrganizationPerson task'sconnectorOutputPayload responseparameter will have a value similar to the following:

    {  "Id": "1|CN=OrgP_AD45237,CN=Users,DC=gcpad,DC=local"}

Example - Create a Person record

  1. In theConfigure connector task dialog, clickEntities.
  2. SelectPerson from theEntity list.
  3. Select theCreate operation, and then clickDone.
  4. In theData Mapper section of theData Mapping task, clickOpen Data Mapping Editor and then enter a value similar to the following in theInput Value field and choose the EntityId/ConnectorInputPayload as Local variable.
    {  "RDN": "CN=Personc3a",  "ObjectClass": "top;person;organizationalPerson;user"}

    If the integration is successful, thePerson task'sconnectorOutputPayload responseparameter will have a value similar to the following:

    {  "Id": "1|CN=Personc3a,CN=Users,DC=gcpad,DC=local"}

Example - Create a Top record

  1. In theConfigure connector task dialog, clickEntities.
  2. SelectTop from theEntity list.
  3. Select theCreate operation, and then clickDone.
  4. In theData Mapper section of theData Mapping task, clickOpen Data Mapping Editor and then enter a value similar to the following in theInput Value field and choose the EntityId/ConnectorInputPayload as Local variable.
    {  "RDN": "CN=Top49b88",  "ObjectClass": "top;person;organizationalPerson;user;inetOrgPerson"}

    If the integration is successful, theTop task'sconnectorOutputPayload responseparameter will have a value similar to the following:

    {  "Id": "1|CN=Top49b88,CN=Users,DC=gcpad,DC=local"}

Example - Update a User record

  1. In theConfigure connector task dialog, clickEntities.
  2. SelectUser from theEntity list.
  3. Select theUpdate operation, and then clickDone.
  4. In theTask Input section of theConnectors task, clickconnectorInputPayload and then enter a value similar to the following in theDefault Value field:
    {"PostalCode": "560048"}

    5. Instead of specifying theentityId, you can also set thefilterClause to 1|CN=Active Directory User,DC=test-ldap,DC=com.

    Running this example, returns a response similar to the following in the connectortask'sconnectorOutputPayload output variable:

    {"Id": "1|CN=Active Directory User,DC=test-ldap,DC=com"}

Example - Update a Group record

  1. In theConfigure connector task dialog, clickEntities.
  2. SelectGroup from theEntity list.
  3. Select theUpdate operation, and then clickDone.
  4. In theData Mapper section of theData Mapping task, clickOpen Data Mapping Editor and then enter a value similar to the following in theInput Value field and choose the EntityId/ConnectorInputPayload/FilterClause as Local variable.
    {  "Member": "CN=admin,CN=Users,DC=test-ldap,DC=com;CN=Administrator,CN=Users,DC=test-ldap,DC=com"}

    Instead of specifying theentityId, you can also set thefilterClause to1|CN=ADGroup9bff,DC=test-ldap,DC=com.

    Running this example, returns a response similar to the following in the connectortask'sconnectorOutputPayload output variable:

    {"Id": "1|CN=ADGroup9bff,DC=test-ldap,DC=com"}

Example - Update a Group (GroupType) record

  1. In theConfigure connector task dialog, clickEntities.
  2. SelectGroup from theEntity list.
  3. Select theUpdate operation, and then clickDone.
  4. In theData Mapper section of theData Mapping task, clickOpen Data Mapping Editor and then enter a value similar to the following in theInput Value field and choose the EntityId/ConnectorInputPayload/FilterClause as Local variable.
    { "GroupType": "4"}

    Instead of specifying theentityId, you can also set thefilterClause to1|CN=UniversalGRP20e5,CN=Users,DC=test-ldap,DC=com.

    Running this example, returns a response similar to the following in the connectortask'sconnectorOutputPayload output variable:

    {"Id": "1|CN=UniversalGRP20e5,CN=Users,DC=test-ldap,DC=com"}

Example - Update a OrganizationPerson record

  1. In theConfigure connector task dialog, clickEntities.
  2. SelectOrganizationPerson from theEntity list.
  3. Select theUpdate operation, and then clickDone.
  4. In theData Mapper section of theData Mapping task, clickOpen Data Mapping Editor and then enter a value similar to the following in theInput Value field and choose the EntityId/ConnectorInputPayload/FilterClause as Local variable.
    {  "Title": "Test Engineer"}

    Instead of specifying theentityId, you can also set thefilterClause to1|CN=OrgP_ADa022f,DC=test-ldap,DC=com.

    Running this example, returns a response similar to the following in the connectortask'sconnectorOutputPayload output variable:

    {"Id": "1|CN=OrgP_ADa022f,DC=test-ldap,DC=com"}

Example - Update a Person record

  1. In theConfigure connector task dialog, clickEntities.
  2. SelectPerson from theEntity list.
  3. Select theUpdate operation, and then clickDone.
  4. In theData Mapper section of theData Mapping task, clickOpen Data Mapping Editor and then enter a value similar to the following in theInput Value field and choose the EntityId/ConnectorInputPayload/FilterClause as Local variable.
    {  "TelephoneNumber": "7764942992"}

    Instead of specifying theentityId, you can also set thefilterClause to1|CN=Person2e6,DC=test-ldap,DC=com.

    Running this example, returns a response similar to the following in the connectortask'sconnectorOutputPayload output variable:

    {"Id": "1|CN=Person2e6,DC=test-ldap,DC=com"}

Example - Update a Top record

  1. In theConfigure connector task dialog, clickEntities.
  2. SelectTop from theEntity list.
  3. Select theUpdate operation, and then clickDone.
  4. In theData Mapper section of theData Mapping task, clickOpen Data Mapping Editor and then enter a value similar to the following in theInput Value field and choose the EntityId/ConnectorInputPayload/FilterClause as Local variable.
    {  "Description": "Top Testing GOOGLECLOUD"}

    Instead of specifying theentityId, you can also set thefilterClause to1|CN=Top3b6bc,DC=test-ldap,DC=com.

    Running this example, returns a response similar to the following in the connectortask'sconnectorOutputPayload output variable:

    {"Id": "1|CN=Top3b6bc,DC=test-ldap,DC=com"}

Example - Update a Computer record

  1. In theConfigure connector task dialog, clickEntities.
  2. SelectComputer from theEntity list.
  3. Select theUpdate operation, and then clickDone.
  4. In theData Mapper section of theData Mapping task, clickOpen Data Mapping Editor and then enter a value similar to the following in theInput Value field and choose the EntityId/ConnectorInputPayload/FilterClause as Local variable.
    {"Description": "This is Windows 2019 Server."}

    Instead of specifying theentityId, you can also set thefilterClause to1|CN=DELVM04S02,CN=Computers,DC=gcpad,DC=local.

    Running this example, returns a response similar to the following in the connectortask'sconnectorOutputPayload output variable:

    {"Id": "1|CN=DELVM04S02,CN=Computers,DC=gcpad,DC=local"}

Example - Delete a User record

  1. In theConfigure connector task dialog, clickEntities.
  2. SelectUser from theEntity list.
  3. Select theDelete operation, and then clickDone.
  4. In theTask Input section of theConnectors task, clickentityId and then enter1|CN=Active Directory User,DC=test-ldap,DC=com in theDefault Value field.

    5. You can perform Delete operation on the following entities:

    Group, User Membership, Group Membership, OrganizationalPerson, Person, Top, Organization, OrganizationalRole, DomainPolicy, Contact, Computer, DnsNode, SecurityObject, OrganizationalUnit, Domain, and Account

Note:

If your entity has a composite primary key, you can specifyafilter clause.

Create connections using Terraform

You can use theTerraformresource to create a new connection.

To learn how to apply or remove a Terraform configuration, seeBasic Terraform commands.

To view a sample terraform template for connection creation, seesample template.

When creating this connection by using Terraform, you must set the following variables in your Terraform configuration file:

Parameter nameData typeRequiredDescription
base_dnSTRINGTrueThe base portion of the distinguished name, used for limiting results to specific subtrees.
auth_mechanismENUMTrueThe authentication mechanism to be used when connecting to the Active Directory server. Supported values are: SIMPLE, DIGESTMD5, NEGOTIATE
follow_referralsBOOLEANFalseWhether or not to follow referrals returned by the Active Directory server.
friendly_guidBOOLEANFalseWhether to return GUID attribute values in a human readable format.
friendly_sidBOOLEANFalseWhether to return SID attribute values in a human readable format.
ldapversionSTRINGTrueThe LDAP version used to connect to and communicate with the server.
scopeENUMTrueWhether to limit the scope of the search to the whole subtree (BaseDN and all of its descendants), a single level (BaseDN and its direct descendants), or the base object (BaseDN only). Supported values are: WHOLESUBTREE, SINGLELEVEL, BASEOBJECT

Use the Active Directory connection in an integration

After you create the connection, it becomes available in bothApigee Integration and Application Integration. You can use the connectionin an integration through the Connectors task.

  • To understand how to create and use the Connectors task in Apigee Integration, seeConnectors task.
  • To understand how to create and use the Connectors task in Application Integration, seeConnectors task.

Get help from the Google Cloud community

You can post your questions and discuss this connector in the Google Cloudcommunity atCloud Forums.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.