Skip to content

feat: add Active Directory connector with USN-based incremental sync #3891

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kbering wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add Active Directory connector with USN-based incremental sync #3891

kbering wants to merge 1 commit into from

Conversation

@kbering
Copy link

@kbering kbering commented Dec 17, 2025

This commit introduces a new connector for Microsoft Active Directory with support for efficient incremental synchronization using Update Sequence Numbers (USN).

Features:

  • Full sync of AD objects (users, groups, computers, OUs)
  • USN-based incremental sync for efficient updates
  • LDAPS support for secure connections
  • NTLM and Simple authentication
  • Configurable object type filtering
  • Paged LDAP queries for large environments
  • Comprehensive attribute mapping

Components:

  • datasource.py: Main connector implementing BaseDataSource
  • client.py: LDAP client wrapper with async support
  • constants.py: AD schemas and attribute definitions
  • test_active_directory.py: Unit and integration tests
  • README.md: Complete documentation

Technical Details:

  • Tracks highestCommittedUSN from AD
  • Queries (uSNChanged >= last_usn) for changed objects
  • Async implementation using ldap3 library
  • Proper error handling and logging

Testing:

  • Unit tests with mocked LDAP responses
  • Integration tests for real AD environments
  • pytest configuration included

Closes https://github.com/elastic/connectors-py/issues/###

Checklists

Pre-Review Checklist

  • this PR does NOT contain credentials of any kind, such as API keys or username/passwords (double check config.yml.example)
  • this PR has a meaningful title
  • this PR links to all relevant github issues that it fixes or partially addresses
  • if there is no GH issue, please create it. Each PR should have a link to an issue
  • this PR has a thorough description
  • Covered the changes with automated tests
  • Tested the changes locally
  • Added a label for each target release version (example: v7.13.2, v7.14.0, v8.0.0)
  • For bugfixes: backport safely to all minor branches still receiving patch releases
  • Considered corresponding documentation changes
  • Contributed any configuration settings changes to the configuration reference
  • if you added or changed Rich Configurable Fields for a Native Connector, you made a corresponding PR in Kibana

Changes Requiring Extra Attention

  • Security-related changes (encryption, TLS, SSRF, etc)
  • New external service dependencies added.

Related Pull Requests

Release Note

feat: add Active Directory connector with USN-based incremental sync
93ad4a1 
This commit introduces a new connector for Microsoft Active Directory
with support for efficient incremental synchronization using Update
Sequence Numbers (USN).

Features:
- Full sync of AD objects (users, groups, computers, OUs)
- USN-based incremental sync for efficient updates
- LDAPS support for secure connections
- NTLM and Simple authentication
- Configurable object type filtering
- Paged LDAP queries for large environments
- Comprehensive attribute mapping

Components:
- datasource.py: Main connector implementing BaseDataSource
- client.py: LDAP client wrapper with async support
- constants.py: AD schemas and attribute definitions
- test_active_directory.py: Unit and integration tests
- README.md: Complete documentation

Technical Details:
- Tracks highestCommittedUSN from AD
- Queries (uSNChanged >= last_usn) for changed objects
- Async implementation using ldap3 library
- Proper error handling and logging

Testing:
- Unit tests with mocked LDAP responses
- Integration tests for real AD environments
- pytest configuration included
@kbering kbering requested a review from a team as a code owner December 17, 2025 15:08
@cla-checker-service
Copy link

cla-checker-service bot commented Dec 17, 2025

❌ Author of the following commits did not sign a Contributor Agreement:
93ad4a1

Please, read and sign the above mentioned agreement if you want to contribute to this project

@seanstory
Copy link
Member

seanstory commented Dec 23, 2025

buildkite test this

@seanstory
Copy link
Member

seanstory commented Dec 23, 2025
edited
Loading

Hi @kbering, thanks for the contribution!

In order for us to consider merging this, you'll need to sign the Contributor License Agreement (CLA). This gives Elastic permission to use your code.

Next, we'll want to make sure we understand the use case for this connector. Why do you need an Active Directory connector? How do you plan to use this data once it's in Elasticsearch? Its important for us to not take on new connectors until we understand that they'd be useful for more than just one customer.

Finally, I've just kicked off a CI job for this branch. If it fails, we'll need to address those failures. EDIT: looks like the linter failed. Try running make autoformat, and then make lint locally. If that passes, commit and push those changes.

Thanks again for this work! We'll be looking forward to giving it a thorough review after the holidays.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

auto-backport community-driven v9.3.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kbering @seanstory @artem-shelkovnikov