PingAuthorize

Defining the LDAP user store manually

If you require more flexibility than create-initial-config provides, you can manually configure the SCIM subsystem and its connectivity to the LDAP user store. However, if you have not done this before, first use create-initial-config to generate an example configuration and then customize that configuration.

About this task

This task shows how to define two backend LDAP servers and a failover load-balancing algorithm. Also, it shows how to connect the load-balancing algorithm to an existing LDAP store adapter named UserStoreAdapter.

The example is simplified and does not discuss SSL connection management. When using SSL to connect to an LDAP external server, you must configure PingAuthorize Server to trust the server certificate presented by the LDAP external server using a trust manager provider.

Steps

  1. Run prepare-external-store for each backend LDAP server. This tool creates a service account with the access rights needed by PingAuthorize Server.

    Example:

    prepare-external-store \
      --hostname ds1.example.com \
      --port 636 \
      --useSSL \
      --trustAll \
      --bindDN "cn=directory manager" \
      --bindPassword password \
      --governanceBindDN 'cn=Authorize User,cn=Root DNs,cn=config' \
      --governanceBindPassword password \
      --userStoreBaseDN 'ou=People,dc=example,dc=com'
  2. Create an LDAP external server entry for each backend LDAP server. This configures how PingAuthorize Server connects to each LDAP server.

    Example:

    dsconfig create-external-server \
      --server-name DS1 \
      --type ping-identity-ds \
      --set server-host-name:ds1.example.com \
      --set server-port:636 \
      --set location:Minneapolis \
      --set 'bind-dn:cn=Authorize User, cn=Root DNs,cn=config' \
      --set password:password \
      --set connection-security:ssl \
      --set key-manager-provider:Null \
      --set trust-manager-provider:JKS
    
    dsconfig create-external-server \
      --server-name DS2 \
      --type ping-identity-ds \
      --set server-host-name:ds2.example.com \
      --set server-port:636 \
      --set location:Minneapolis \
      --set 'bind-dn:cn=Authorize User, cn=Root DNs,cn=config' \
      --set password:password \
      --set connection-security:ssl \
      --set key-manager-provider:Null \
      --set trust-manager-provider:JKS
  3. Create a failover load-balancing algorithm that uses the two LDAP external servers.

    Example:

    dsconfig create-load-balancing-algorithm \
      --algorithm-name 'User Store LBA' \
      --type failover \
      --set enabled:true \
      --set backend-server:DS1 \
      --set backend-server:DS2
  4. Assign the load-balancing algorithm to an LDAP store adapter. This example assumes that the store adapter UserStoreAdapter already exists.

    Example:

    dsconfig set-store-adapter-prop \
      --adapter-name UserStoreAdapter \
      --set 'load-balancing-algorithm:User Store LBA'