--- title: Defining the LDAP user store with create-initial-config description: The create-initial-config tool provides limited support for configuring SCIM and the user store configuration needed to connect the SCIM subsystem to a set of LDAP directory servers. component: pingauthorize version: 11.0 page_id: pingauthorize:pingauthorize_server_administration_guide:paz_define_ldap_create_initial_config canonical_url: https://docs.pingidentity.com/pingauthorize/11.0/pingauthorize_server_administration_guide/paz_define_ldap_create_initial_config.html revdate: August 15, 2023 --- # Defining the LDAP user store with create-initial-config The `create-initial-config` tool provides limited support for configuring SCIM and the user store configuration needed to connect the SCIM subsystem to a set of LDAP directory servers. This tool creates the following configuration: * An LDAP store adapter named `UserStoreAdapter` * A load-balancing algorithm named `User Store LBA` * One or more LDAP external servers * (Optional) A SCIM resource type named `Users` * (Optional) SCIM schema, attributes, and attribute mappings for the `Users` resource type If run interactively, `create-initial-config` walks you through the configuration process. You should be prepared to provide connection information for your directory servers. You can also run `create-initial-config` noninteractively, which is useful when performing a scripted deployment. For an example, see [Configuring the PingAuthorize user store](paz_config_paz_user_store.html). The following table describes a key subset of the tool's command-line options. | Option | Description | | -------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--governanceBindDN` | The bind DN for a user account that PingAuthorize Server will use to access backend LDAP servers. Create this account using the `prepare-external-store` tool. | | `--governanceBindPassword` | The password for the above account. | | `--userStore` | The host, LDAP / LDAPS port, and optional location of a backend LDAP server. You can specify this option once per each backend server. | | `--userStoreBaseDN` | The base DN under which entries are stored. | | `--userObjectClass` | The structural LDAP object class of entries for the SCIM subsystem to handle if `--initialSchema` has the `none` or `pass-through` value. | | `--initialSchema` | The SCIM schema and resource type configuration to use. Supports the following values:- `pass-through` Creates a pass-through SCIM resource type called `Users` for the LDAP object class specified by the `--userObjectClass` option. - `user` Creates a mapping SCIM resource type called `Users` with an example schema. For more information about this schema, see `/resource/starter-schemas/README.txt`. - `none` Does not create a SCIM resource type. | For more information about running `create-initial-config`, see its help by running the following command: ``` create-initial-config --help ``` When using `create-initial-config` noninteractively, you should also run `prepare-external-store` for each backend LDAP server. This tool creates a privileged user account on the LDAP server for use by PingAuthorize Server and configures a set of global access control instructions (ACIs) needed by this account.