Skip to main content

Switching between Active Directory adapters

UiPath® Identity Server provides support for two Active Directory adapters: ad and ldapad.

  • ad adapter: Legacy adapter that works only in standalone deployments. The ad adapter only operates on Windows and it supports external trust domains and NTLM, offering support for non-domain joined clients to authenticate.
  • ldapad adapter: Adapter introduced in 2021.10. The ldapad adapter works in both standalone and Automation Suite deployments and it does not support external trust domains and NTLM for non-domain joined clients to authenticate.

The following table describes the two Active Directory adapters for each deployment model:

Deploymentad adapterldapad adapter
Automation SuiteNot supportedSupported
note

All deployments prior to 2021.10 with Active Directory integration enabled keep the ad adapter after upgrade. All other deployments get, by default, the ldapad adapter when Active Directory integration is enabled.

Checking the Active Directory adapter type

To determine the adapter type, a SQL query can be executed which checks the type of the adapter in the [identity].[DirectoryConnections] table.

SELECT dc.* from [identity].[DirectoryConnections] dc
JOIN [identity].[Partitions] p ON p.[Id]=dc.[PartitionId]
WHERE p.[GlobalId]='FEB0DD79-85B6-483B-B297-0E49A1AA5B7D' AND dc.[IsDeleted]=0

If [Type]=ad, then the ad adapter is in use. If [Type]='ldapad', then the ldapad adapter is in use.

Switching from ldapad to ad

note

This is supported only in standalone deployments.

To switch from ldapad to ad, take the following steps:

  1. Check that ldapad adapter is enabled by making sure the following query returns one row: 
    SELECT dc.* from [identity].[DirectoryConnections] dc JOIN [identity].[Partitions] p ON p.[Id]=dc.[PartitionId] WHERE p.[GlobalId]='FEB0DD79-85B6-483B-B297-0E49A1AA5B7D' AND dc.[Type]='ldapad' AND dc.[IsDeleted]=0
  2. Connect to the Orchestrator/Identity database and run the following script, making sure to replace FQDN-OF-DOMAIN with the fully qualified name of the default/main domain. With Active Directory integration enabled in the UiPath host portal, the following SQL script updates the DirectoryId of Active Directory users and groups, soft-deletes ldapad directory connections, and creates ad directory connections. 
    -- convert users

    IF OBJECT_ID('tempdb..#tmp_ldap_users') IS NOT NULL
    DROP TABLE #tmp_ldap_users

    SELECT [Id], [MasterPartitionId], CONCAT('ad', SUBSTRING([DirectoryId], 7, 256)) AS [DirectoryId] INTO #tmp_ldap_users
    FROM [identity].[AspNetUsers]
    WHERE [DirectoryId] LIKE 'ldapad|%' AND [IsDeleted]=0

    --SELECT * FROM #tmp_ldap_users

    DELETE tmp
    FROM #tmp_ldap_users tmp
    JOIN [identity].[AspNetUsers] u ON u.[MasterPartitionId]=tmp.[MasterPartitionId] AND u.[DirectoryId]=tmp.[DirectoryId]

    --SELECT * FROM #tmp_ldap_users

    UPDATE u
    SET u.[DirectoryId]=tmp.[DirectoryId]
    FROM [identity].[AspNetUsers] u
    JOIN #tmp_ldap_users tmp on tmp.[Id]=u.[Id]

    -- create 'ad' directory connection

    DECLARE @HostPartitionId int        -- host partition id
    SELECT @HostPartitionId = [Id] FROM [identity].[Partitions] WHERE [GlobalId]='FEB0DD79-85B6-483B-B297-0E49A1AA5B7D'

    UPDATE [identity].[DirectoryConnections] SET [IsDeleted]=1, [DeletionTime]=GETUTCDATE() WHERE [PartitionId]=@HostPartitionId AND [Type]='ldapad' and [IsDeleted]=0

    SELECT * FROM [identity].[DirectoryConnections] WHERE [PartitionId]=@HostPartitionId AND [Type]='ad' and [IsDeleted]=0
    IF @@ROWCOUNT=0
        INSERT INTO [identity].[DirectoryConnections] ([PartitionId], [Type], [CreationTime], [Configuration], [IsDeleted])
        VALUES (@HostPartitionId, 'ad', GETUTCDATE(), '{ "Domain": "<FQDN-OF-DOMAIN>" }', 0)


    SELECT * FROM [identity].[DirectoryConnections] WHERE [PartitionId]=@HostPartitionId AND [IsDeleted]=0
  3. Restart the Identity application pool by running iisreset from an elevated prompt.

Switching from ad to ldapad

To switch your directory integration from ad to ldapad, follow these steps:

  1. Check that the ad adapter is enabled by making sure the following query returns one row: 
    SELECT dc.* from [identity].[DirectoryConnections] dc
    JOIN [identity].[Partitions] p ON p.[Id]=dc.[PartitionId]
    WHERE p.[GlobalId]='FEB0DD79-85B6-483B-B297-0E49A1AA5B7D' AND dc.[Type]='ad' AND dc.[IsDeleted]=0
  2. In the host portal, delete the existing Active Directory integration.
  3. Reconfigure the directory integration, and under Directory integration select Configure.
    note

    When you switch from ad to ldapad all user settings and permissions are preserved, even during the delete and reconfigure steps.

  4. Restart the IIS services.

For example, you can use the iisreset command in the Command Prompt to reset the IIS services.