# Service account and configuration

## Service account

During Managed System configuration in the Webconsole, you will specify a **Login ID** that acts as the service account OpenIAM uses to connect to Active Directory. This should be a regular AD user account granted the permissions required for the operations the connector needs to perform.

Include the domain name in the Login ID. For example: `openiamtest\serviceAccount`.

For POC and test environments, adding the service account to administrative groups is acceptable. For production, apply the principle of least privilege and grant only the required permission set.

You can set delegation permissions using the **Delegation Control** wizard in Active Directory Users and Computers (ADUC) by right-clicking the target OU.

<figure><img src="/files/GugB8lZQl3SAIH2UTZVd" alt=""><figcaption></figcaption></figure>

## Limiting connector scope

Service accounts should have only the permissions they need. For example, if the connector is used only for one-way sync from AD, the account should not have write permissions.

As an additional safety measure, you can set the **PermittedDN** parameter in the managed system configuration. When set:

* All **ADD** operations are skipped if the new object would be created outside PermittedDN or its sub-OUs.
* All **MODIFY** operations are stopped if the target object is located outside PermittedDN or its sub-OUs.

In both cases the connector returns a `FAIL` status with an appropriate message.

***

## Registering the connector

After the connector is started, it must be registered with OpenIAM to receive messages from other services.

1. Go to **Webconsole → Provisioning → Connectors**. Unless you are using a custom connector, your connector should already appear in the list.
2. Click **Actions** next to the connector to open the configuration screen.
3. Note the **Connector Queue** value — you will need this for the server-side configuration below.

<figure><img src="/files/sV7DXE4Dl6Y8Or12vzvd" alt=""><figcaption></figcaption></figure>

You can replace the default queue name with any unique alphanumeric string (no spaces).

### Adding the Queue Name to the Connector Configuration

{% stepper %}
{% step %}
Copy `start.sh` into the connectors directory and rename it `[connector_name]_start.sh`.
{% endstep %}

{% step %}
Open the new start script and add the following Java options:

```bash
-Dorg.openiam.connector.queue=[Connector Queue]_Request
-Dorg.openiam.connector.queueResponseName=[Connector Queue]_Response
```

{% endstep %}

{% step %}
Copy `/etc/systemd/system/openiam-connector@.service` to `/etc/systemd/system/openiam-connector-[connector-name].service` and update the `ExecStart` property to point to the new start script.
{% endstep %}

{% step %}
Start the connector:

```bash
./start.sh connector-file-name
```

{% endstep %}
{% endstepper %}

**Example Java options:**

```bash
-Dorg.openiam.connector.queue=TestDb_Connector_0001_Request
-Dorg.openiam.connector.queueResponseName=TestDb_Connector_0001_Response
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs-beta.openiam.com/application-onboarding/connectors/active-directory-powershell-connector/service-account-and-configuration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.