6.2.3.1. Recommended usage

The following table lists IAM plugins connecting to MSAD and states the intended usage:

Plugin Name
Description
Recommended for Use-Case
Active Directory Connector
General purpose plugins used to connect to MSAD for several purposes.
Usually this is the only IAM plugin required to connect to MSAD.
  • Check user password
  • Change user password
  • Set user password by administrator
  • Check if user account exists
  • Check account state on MSAD
  • Read users' roles/groups
  • Read and write user profile data
  • Import accounts from MSAD into IAM database
Active Directory Password Repository
Used in flow-based authentication for password check and change.
  • Check password
  • Change password
Active Directory Password Policy (+ Connector)
Checks whether a password meets the requirements of the MSAD password policy.
  • Change password
  • Set password by administrator

As a rule-of-thumb the following setups are recommended.

When authenticating users with:

  • Username and Password only: MSAD can be used as sole authentication and persistence back-end (no IAM database needed).
  • 2 Factors: MSAD should only be used to check the password. Second factors should be checked using the IAM database.