Skip to content

Active Directory

SailPoint Entro connects to your On-Premises Active Directory to discover, monitor, and analyze user identities, groups, and permissions.

Purpose

This integration ingests Active Directory objects and ACLs to find identity risk, excessive permissions, and lateral movement paths.

Supported Environments

  • On-premises Active Directory forests (single or multi-domain)

  • Hybrid environments where domain controllers are reachable from the Worker Group (Connector)

ASCII Architecture

                       +--------------------+
                       |   Entro Console    |
                       |   (Control Plane)  |
                       +---------+----------+
                                 |
                                 | Control API + AES-256 token
                                 |
                       +---------v----------+
                       | Worker Group       |
                       | (Connector VM)     |
                       +---------+----------+
              LDAPS/LDAP     |     LDAP(S)      |
  +------------------+       |       +------------------+
  | Domain Controller |<-----+----->| Domain Controller |
  | (DC - dc01)       |             | (DC - dc02)       |
  +------------------+               +------------------+
                |                              |
                +----- Kerberos / LDAP / DNS --+

What SailPoint Entro Scans

  • User accounts and attributes

  • Groups and nested group membership

  • Group Policy Objects (GPO metadata)

  • ACLs on objects (where accessible via LDAP)

  • Computer accounts and service principal names (SPNs)

  • Password and lockout policies (metadata)

  • LastLogon, account status, and privileged group membership

Authentication Method Summary

  • Primary method: LDAP/LDAPS bind using a dedicated service account (API Access Token used in SailPoint Entro Console).

  • SailPoint Entro requires a service account with read-only LDAP privileges.

Data Access Mode

  • Read-only LDAP queries from the Worker Group (Connector).

  • Network traffic should use LDAPS (port 636) whenever possible.

Security & Compliance

  • TLS 1.2+ required for LDAPS connections.

  • SailPoint Entro uses read-only directory access.

  • Stored tokens encrypted using AES-256.

  • Applicable standards: SOC 2 Type II, ISO 27001, GDPR (data retention and export controls apply).