---
title: Configuring the PingAuthorize user store
description: Configure PingAuthorize Server to use PingDirectory Server as its user store.
component: pingauthorize
version: 11.0
page_id: pingauthorize:pingauthorize_server_administration_guide:paz_config_paz_user_store
canonical_url: https://docs.pingidentity.com/pingauthorize/11.0/pingauthorize_server_administration_guide/paz_config_paz_user_store.html
revdate: July 29, 2022
section_ids:
  steps: Steps
  example: Example:
  example-2: Example:
---

# Configuring the PingAuthorize user store

Configure PingAuthorize Server to use PingDirectory Server as its user store.

## Steps

1. To make a set of changes to PingDirectory Server that PingAuthorize Server needs, including the creation of a service account, run the `prepare-external-store` command.

   ### Example:

   ```json
   {pingauthorize}/bin/prepare-external-store \
     --hostname <your-ds-host> --port 1636 --useSSL --trustAll \
     --governanceTrustStorePath  {pingauthorize}/config/truststore \
     --governanceTrustStorePasswordFile \
    {pingauthorize}/config/truststore.pin \
     --bindDN "cn=directory manager" \
     --bindPassword <your-ds-password> \
     --governanceBindDN "cn=Authorize User,cn=Root DNs,cn=config" \
     --governanceBindPassword <your-pingauthorize-service-account-password> \
     --userStoreBaseDN "ou=people,dc=example,dc=com" \
     --no-prompt
   ```

2. To configure PingAuthorize Server with a store adapter that allows it to communicate with PingDirectory Server to retrieve identity attributes, run the `create-initial-config` command.

   |   |                                                                                                                                                                                                                                                    |
   | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | Using `create-initial-config` is optional. However, if you do not use it, you do not get the user's profile (the requester's attributes). For more information, see [User profile availability in policies](paz_user_profile_avail_policies.html). |

   ### Example:

   ```json
   {pingauthorize}/bin/create-initial-config \
     --no-prompt --port 8636 --useSSL --trustAll \
     --bindDN "cn=directory manager" \
     --bindPassword <your-pingauthorize-password> \
     --governanceBindPassword <your-pingauthorize-service-account-password> \
     --externalServerConnectionSecurity useSSL \
     --governanceTrustStorePath  {pingauthorize}/config/truststore \
     --governanceTrustStorePasswordFile \
    {pingauthorize}/config/truststore.pin \
     --userStoreBaseDN "ou=people,dc=example,dc=com" \
     --userStore "<your-ds-host>:1636:Austin" \
     --userObjectClass "inetOrgPerson" \
     --initialSchema pass-through
   ```

   This command also sets up a System for Cross-domain Identity Management (SCIM) resource type that defines a `Users` type with a SCIM schema that is automatically mapped to an LDAP type, `inetOrgPerson`, on PingDirectory Server.