--- title: Defining the LDAP user store manually description: If you require more flexibility than create-initial-config provides, you can manually configure the SCIM subsystem and its connectivity to the LDAP user store. However, if you have not done this before, first use create-initial-config to generate an example configuration and then customize that configuration. component: pingauthorize version: 11.0 page_id: pingauthorize:pingauthorize_server_administration_guide:paz_define_ldap_manually canonical_url: https://docs.pingidentity.com/pingauthorize/11.0/pingauthorize_server_administration_guide/paz_define_ldap_manually.html revdate: July 29, 2022 section_ids: about-this-task: About this task steps: Steps example: Example: example-2: Example: example-3: Example: example-4: Example: --- # Defining the LDAP user store manually If you require more flexibility than `create-initial-config` provides, you can manually configure the SCIM subsystem and its connectivity to the LDAP user store. However, if you have not done this before, first use `create-initial-config` to generate an example configuration and then customize that configuration. ## About this task This task shows how to define two backend LDAP servers and a failover load-balancing algorithm. Also, it shows how to connect the load-balancing algorithm to an existing LDAP store adapter named `UserStoreAdapter`. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The example is simplified and does not discuss SSL connection management. When using SSL to connect to an LDAP external server, you must configure PingAuthorize Server to trust the server certificate presented by the LDAP external server using a trust manager provider. | ## Steps 1. Run `prepare-external-store` for each backend LDAP server. This tool creates a service account with the access rights needed by PingAuthorize Server. ### Example: ``` prepare-external-store \ --hostname ds1.example.com \ --port 636 \ --useSSL \ --trustAll \ --bindDN "cn=directory manager" \ --bindPassword password \ --governanceBindDN 'cn=Authorize User,cn=Root DNs,cn=config' \ --governanceBindPassword password \ --userStoreBaseDN 'ou=People,dc=example,dc=com' ``` 2. Create an LDAP external server entry for each backend LDAP server. This configures how PingAuthorize Server connects to each LDAP server. ### Example: ``` dsconfig create-external-server \ --server-name DS1 \ --type ping-identity-ds \ --set server-host-name:ds1.example.com \ --set server-port:636 \ --set location:Minneapolis \ --set 'bind-dn:cn=Authorize User, cn=Root DNs,cn=config' \ --set password:password \ --set connection-security:ssl \ --set key-manager-provider:Null \ --set trust-manager-provider:JKS dsconfig create-external-server \ --server-name DS2 \ --type ping-identity-ds \ --set server-host-name:ds2.example.com \ --set server-port:636 \ --set location:Minneapolis \ --set 'bind-dn:cn=Authorize User, cn=Root DNs,cn=config' \ --set password:password \ --set connection-security:ssl \ --set key-manager-provider:Null \ --set trust-manager-provider:JKS ``` 3. Create a failover load-balancing algorithm that uses the two LDAP external servers. ### Example: ``` dsconfig create-load-balancing-algorithm \ --algorithm-name 'User Store LBA' \ --type failover \ --set enabled:true \ --set backend-server:DS1 \ --set backend-server:DS2 ``` 4. Assign the load-balancing algorithm to an LDAP store adapter. This example assumes that the store adapter `UserStoreAdapter` already exists. ### Example: ``` dsconfig set-store-adapter-prop \ --adapter-name UserStoreAdapter \ --set 'load-balancing-algorithm:User Store LBA' ```