New Capability: Identity Security Cloud Account - Move and Rename for LDAP

Announcements Product News
, ,
1

Description

We are excited to announce account move and rename support for SailPoint Lightweight Directory Access Protocol (LDAP) connectors.

Whether an account is moved or renamed directly in the LDAP directory or through a provisioning operation in Identity Security Cloud, Identity Security Cloud will continue to represent the same native LDAP account (without creating a mismatch or a “new” account unintentionally).

New Capability

Previously, account move and rename was supported for the Active Directory connector. In 2H’25, we enhanced that support to cover additional move/rename scenarios. During account aggregation, the connector now performs extra checks to handle changes caused by OU moves and account renames in Active Directory more reliably. This updated behavior preserves provisioning history, reduces unnecessary events, and removes manual steps that were sometimes needed to restore provisioning history.

We have extended the core capability to support account move and rename for LDAP. Supported connectors include:

  • Generic LDAP
  • OpenLDAP
  • Novell EDirectory/NetIQ
  • IBM Tivoli Directory Server
  • Microsoft Lightweight Directory Services (Formerly ADAM)
  • Oracle Internet Directory

To support account move and rename, the connector requires a Unique Account Attribute value for your specific LDAP server. For other LDAP-based connectors, this is handled in the connector by default. For the generic LDAP connector, configure it as follows:

LDAP Server Unique Account Attribute

LDAP Server Unique Account Attribute
ADAM (AD LDS) objectGUID
IBM Tivoli Directory Server ibm-entryuuid
Novell eDirectory GUID
ODSEE (SunOne) nsUniqueId
OpenLDAP entryUUID
Oracle Internet Directory (OID) orclGUID
Oracle Unified Directory (OUD) entryUUID
389 Directory Server entryUUID

You can also add any other unique attribute in the generic LDAP connector, if you are using a custom attribute which is unique.

For provisioning operation, the AC_NewName and AC_NewParent are special attributes to handle the move and rename operations and can be sent in attribute request.

Documentation:

Release Details

  • Identity Security Cloud - Available.
2

Does this include Active Directory Domain Services or Microsoft Active Directory as well, since it runs LDAP underneath?

4

i haven’t seen any notification about sailpoint fixing the AD connector and the idea is still open https://ideas.sailpoint.com/ideas/GOV-I-2129.

do you have the document relating to the fix?

5

Could you please clarify what exactly this capability means? Specifically, how are AC_NewName and AC_NewParent expected to be used in provisioning operations for move and rename scenarios?

6

Here is the SailPoint documentation:

, scroll to the bottom of the page for a description for those 2 attributes you are asking about.

The link was pulled from the list at the original post here labeled:
Microsoft Lightweight Directory Services

1 Like
7

I initially read this as the AD connector got support in 2H’25 for moving an account OU natively, without needing to use a before provisioning rule and the AC_* calls. Looks like that is still the case, and only addresses improvements to moves in the aggregation actions.