Use identifier other than DN for LDAP-Connector?

Hi everyone,

we are facing a problem with our LDAP provisioning (to Microsoft AD). We have a quite diversified OU-structure in our AD, which unfortunately can change from time to time. New OUs or group names are of course not a problem, but name changes can occur as well.

With IDM using the DN of an identity or of a group as the unique identifier in the LDAP-connector, such changes will have huge impact on the IDM, because the DN will change and the IDM will no longer find the person/group in the active directory.

We have tried to use the samaccountname in the connector instead of the DN, but it does not work, IDM does not find the entry in the AD.

Does anyone know of another possibility to deal with this problem? Is there any way to adapt the connector in such a way that it can use e.g. the samaccountname or even better the guid as an identifier?

Thank you very much in advance,

best regards

Lisa