Skip to content

Active Directory Permissions Reference

Summary

SailPoint Entro requires a single read-only LDAP bind account. The account must be able to enumerate users, groups, computers, and basic attributes. No administrative or write privileges are needed.

Required Roles / Access

  • Directory read access to:

    • CN=Users,DC=<domain>

    • CN=Computers,DC=<domain>

    • Any OU structures containing user/group objects

  • Ability to read these attributes:

    • member, memberOf, sAMAccountName, userPrincipalName, lastLogon, objectSID, objectGUID, userAccountControl, servicePrincipalName
  • If searching ACLs, the account must be able to read security descriptor metadata where allowed via LDAP.

Scopes and Purpose

Scope name Purpose
ldap:bind Bind to LDAP/LDAPS using service account
ldap:read:users Read user objects and attributes
ldap:read:groups Read group objects and nested membership
ldap:read:computers Read computer accounts and SPNs
ldap:read:gpo Read GPO metadata (if accessible)

Auth Profile / Policy Mapping

  • LDAP binding uses the service account credentials entered in the integration form.

  • LDAP bind credentials authorize directory queries from the Worker Group.

  • Use TLS 1.2+ for LDAPS.

  • SailPoint Entro maintains read-only behavior and logs access.

  • Ensure the service account follows the Principle of Least Privilege.