Active Directory Permissions Reference
Summary
SailPoint Entro requires a single read-only LDAP bind account. The account must be able to enumerate users, groups, computers, and basic attributes. No administrative or write privileges are needed.
Required Roles / Access
-
Directory read access to:
-
CN=Users,DC=<domain> -
CN=Computers,DC=<domain> -
Any OU structures containing user/group objects
-
-
Ability to read these attributes:
member,memberOf,sAMAccountName,userPrincipalName,lastLogon,objectSID,objectGUID,userAccountControl,servicePrincipalName
-
If searching ACLs, the account must be able to read security descriptor metadata where allowed via LDAP.
Scopes and Purpose
| Scope name | Purpose |
|---|---|
ldap:bind |
Bind to LDAP/LDAPS using service account |
ldap:read:users |
Read user objects and attributes |
ldap:read:groups |
Read group objects and nested membership |
ldap:read:computers |
Read computer accounts and SPNs |
ldap:read:gpo |
Read GPO metadata (if accessible) |
Auth Profile / Policy Mapping
-
LDAP binding uses the service account credentials entered in the integration form.
-
LDAP bind credentials authorize directory queries from the Worker Group.
Recommended Configuration and Security Notes
-
Use TLS 1.2+ for LDAPS.
-
SailPoint Entro maintains read-only behavior and logs access.
-
Ensure the service account follows the Principle of Least Privilege.