Defining the LDAP user store with create-initial-config

The create-initial-config tool provides limited support for configuring SCIM and the user store configuration needed to connect the SCIM subsystem to a set of LDAP directory servers.

This tool creates the following configuration:

An LDAP store adapter named UserStoreAdapter
A load-balancing algorithm named User Store LBA
One or more LDAP external servers
(Optional) A SCIM resource type named Users
(Optional) SCIM schema, attributes, and attribute mappings for the Users resource type

If run interactively, create-initial-config walks you through the configuration process. You should be prepared to provide connection information for your directory servers.

You can also run create-initial-config noninteractively, which is useful when performing a scripted deployment. For an example, see Configuring the PingAuthorize user store.

The following table describes a key subset of the tool’s command-line options.

Option Description

Option	Description
`--governanceBindDN`	The bind DN for a user account that PingAuthorize Server will use to access backend LDAP servers. Create this account using the `prepare-external-store` tool.
`--governanceBindPassword`	The password for the above account.
`--userStore`	The host, LDAP / LDAPS port, and optional location of a backend LDAP server. You can specify this option once per each backend server.
`--userStoreBaseDN`	The base DN under which entries are stored.
`--userObjectClass`	The structural LDAP object class of entries for the SCIM subsystem to handle if `--initialSchema` has the `none` or `pass-through` value.
`--initialSchema`	The SCIM schema and resource type configuration to use. Supports the following values: `pass-through` Creates a pass-through SCIM resource type called `Users` for the LDAP object class specified by the `--userObjectClass` option. * `user` Creates a mapping SCIM resource type called `Users` with an example schema. For more information about this schema, see `<server-root>/resource/starter-schemas/README.txt`. * `none` Does not create a SCIM resource type.

--governanceBindDN

The bind DN for a user account that PingAuthorize Server will use to access backend LDAP servers. Create this account using the prepare-external-store tool.

--governanceBindPassword

The password for the above account.

--userStore

The host, LDAP / LDAPS port, and optional location of a backend LDAP server. You can specify this option once per each backend server.

--userStoreBaseDN

The base DN under which entries are stored.

--userObjectClass

The structural LDAP object class of entries for the SCIM subsystem to handle if --initialSchema has the none or pass-through value.

--initialSchema

The SCIM schema and resource type configuration to use. Supports the following values:

pass-through

Creates a pass-through SCIM resource type called Users for the LDAP object class specified by the --userObjectClass option. * user

Creates a mapping SCIM resource type called Users with an example schema. For more information about this schema, see <server-root>/resource/starter-schemas/README.txt. * none

Does not create a SCIM resource type.

For more information about running create-initial-config, see its help by running the following command:

create-initial-config --help

When using create-initial-config noninteractively, you should also run prepare-external-store for each backend LDAP server. This tool creates a privileged user account on the LDAP server for use by PingAuthorize Server and configures a set of global access control instructions (ACIs) needed by this account.