PingAuthorize

Defining the LDAP user store with create-initial-config

The create-initial-config tool provides limited support for configuring SCIM and the user store configuration needed to connect the SCIM subsystem to a set of LDAP directory servers.

This tool creates the following configuration:

  • An LDAP store adapter named UserStoreAdapter

  • A load-balancing algorithm named User Store LBA

  • One or more LDAP external servers

  • (Optional) A SCIM resource type named Users

  • (Optional) SCIM schema, attributes, and attribute mappings for the Users resource type

If run interactively, create-initial-config walks you through the configuration process. You should be prepared to provide connection information for your directory servers.

You can also run create-initial-config noninteractively, which is useful when performing a scripted deployment. For an example, see Configuring the PingAuthorize user store.

The following table describes a key subset of the tool’s command-line options.

Option Description

--governanceBindDN

The bind DN for a user account that PingAuthorize Server will use to access backend LDAP servers. Create this account using the prepare-external-store tool.

--governanceBindPassword

The password for the above account.

--userStore

The host, LDAP / LDAPS port, and optional location of a backend LDAP server. You can specify this option once per each backend server.

--userStoreBaseDN

The base DN under which entries are stored.

--userObjectClass

The structural LDAP object class of entries for the SCIM subsystem to handle if --initialSchema has the none or pass-through value.

--initialSchema

The SCIM schema and resource type configuration to use. Supports the following values:

  • pass-through

Creates a pass-through SCIM resource type called Users for the LDAP object class specified by the --userObjectClass option. * user

Creates a mapping SCIM resource type called Users with an example schema. For more information about this schema, see <server-root>/resource/starter-schemas/README.txt. * none

Does not create a SCIM resource type.

For more information about running create-initial-config, see its help by running the following command:

create-initial-config --help

When using create-initial-config noninteractively, you should also run prepare-external-store for each backend LDAP server. This tool creates a privileged user account on the LDAP server for use by PingAuthorize Server and configures a set of global access control instructions (ACIs) needed by this account.