Skip to content

Active Directory Onboarding

Prerequisite

  • Network reachability from chosen Worker Group (Connector) to a Domain Controller.

    • LDAP TCP Por 389

    • LDAPS TCP Port 636

    • Microsoft Global Catalog TCP Port 3268

    • Microsoft Global Catalog TCP Port 3269

    • DNS resolution (UDP Port 53) for DC hostnames

  • Service account UPN for LDAP bind (example: svc_entro@corp.local)

    • Must have read access to directory objects and attributes within all required target domains.

Complete the following:

  1. Create the Service Account in Active Directory

    • Name: svc_entro

    • UPN: svc_entro@<domain>

    • Assign read-only built-in group permissions only.

    • Do not grant any elevated admin roles.

  2. Collect Connector Network Information

    Validate DNS Resolution

    Ensure the Worker VM can resolve the domain controller FQDN:

    dc01.example.local
    

    Validate LDAPS Connectivity (Port 636)

    openssl s_client -connect dc01.example.local:636 -showcerts
    

    If the connection succeeds, LDAPS is reachable.

  3. Copy the Root CA Certificate

    SailPoint Entro expects the raw certificate text, not a file upload.

    If you need further assistance with retrieving the certificate please see "export public certificate" below.

    Steps:

    • Open the Root CA certificate (.cer) in a text editor such as Notepad or VS Code.

    • Copy the entire certificate block, including the headers and footers:

    -----BEGIN CERTIFICATE-----
    ...certificate data...
    -----END CERTIFICATE-----
    
    • Paste this text directly into the Root CA (PEM) field in the SailPoint Entro Console.

    The certificate field is multiline. Ensure the full block is pasted with no extra spaces or missing lines.


In SailPoint Entro Console

Navigate: Management → Accounts & Integrations → Add New Account → Active Directory

Fill out the following fields:

Integration Fields

  • Nickname Free-text label for identification Example: ENTRO-PROD-AD

  • Domain Controller (DC) Short hostname or IP of the primary DC Example: DC01 or 10.0.0.5

  • DC Name (FQDN) Fully qualified domain controller name Example: dc01.example.local

    Both the short name/IP and the FQDN are required by the current connector version.

  • Root CA (PEM) Paste the full certificate text copied above.

  • Domain Active Directory domain Example: example.local

  • Username Service account UPN Example: svc_entro@example.local

  • Password Service account password

  • Environment Nickname Human-readable label for this deployment Example: PROD-AD

  • Environment Type Production / Staging / Dev

  • Worker Group (Connector) Select the Connector/Outpost that will run the AD scans.

Click Connect to complete onboarding.

Export Public CA Certificate

Option 1: Using OpenSSL (Linux, macOS, Windows with OpenSSL installed)

If your Root CA certificate is in an existing format (like .crt, .cer, .der, or .pfx), you can export it to a PEM file easily.

  1. Locate your Root CA certificate

    Find the file (for example):

    • rootCA.crt

    • rootCA.cer

    • or part of a PKCS#12 bundle (like rootCA.pfx).

  2. Convert to PEM (if not already)

    Depending on the format:

    If it's a DER (.der or .cer) file:

    openssl x509 -inform DER -in rootCA.cer -out root-ca.pem
    

    If it's a CRT (.crt) file:

    openssl x509 -in rootCA.crt -out root-ca.pem
    

    If it's a PFX / PKCS#12 (.pfx) file (contains private key + certs):

    openssl pkcs12 -in rootCA.pfx -out root-ca.pem -clcerts -nokeys
    

    You'll be asked for the import password (if the PFX is protected).

  3. Verify the PEM file

    Check the output:

    openssl x509 -in root-ca.pem -text -noout
    

    You should see details like:

    Issuer: CN = RootCA
    Subject: CN = RootCA
    

    That confirms you have the root CA certificate in PEM format.


Option 2: From Windows Certificate Store

If your Root CA is stored in the Windows Certificate Manager:

  1. Open the Certificate Manager

    Press Win + R → type:

    certmgr.msc
    

    Press Enter.

  2. Locate the Root CA

    Go to:

    Trusted Root Certification Authorities → Certificates
    

    Find your root CA certificate (look for the name in the list).

  3. Export the certificate

    Right-click → All Tasks → Export → follow the wizard:

    • Choose No, do not export the private key

    • Select Base-64 encoded X.509 (.CER) format

    • Save it as root-ca.cer

  4. Rename or convert to PEM

    You can simply rename it:

    root-ca.cer → root-ca.pem
    

    Or convert it using OpenSSL (optional):

    openssl x509 -in root-ca.cer -out root-ca.pem
    

Troubleshooting: Certificate Issues

  • Ensure the certificate contains the BEGIN and END lines.

  • Do not add or remove line breaks.

  • Certificate must be Base64-encoded X.509.

  • Confirm port 636 is reachable and DNS resolves the DC correctly.


Security & Compliance Notes

  • LDAPS should always run over TLS 1.2+.

  • Do not assign write permissions to the service account.

  • Passwords should be stored in your internal secrets vault or a secure encrypted channel.