--- title: Modifying source settings description: You can modify the source settings for the datastore configuration in the PingFederate administrative console. You can add, change, and remove user information. component: pingfederate version: 13.0 page_id: pingfederate:administrators_reference_guide:pf_modifying_source_settings canonical_url: https://docs.pingidentity.com/pingfederate/13.0/administrators_reference_guide/pf_modifying_source_settings.html revdate: July 21, 2025 section_ids: about-this-task: About this task steps: Steps --- # Modifying source settings You can modify the source settings for the datastore configuration in the PingFederate administrative console. You can add, change, and remove user information. ## About this task The **Source Settings** tab shows the default configuration of the datastore selected on the **Source** tab. This includes settings used by the PingFederate provisioner to determine when user information is added, changed, or removed. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If Microsoft Active Directory is your provisioning source, make sure that only one host is configured in the **Data Source** host name. Multiple host name values could result in some record changes not being detected and thus not provisioned. | ![Screen capture illustrating the Source Settings tab, based on a Microsoft Active Directory user store.](_images/iqu1564003443753.jpg) The following table contains more information about each field: | Field | Description | | ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Entry GUID Attribute** | The name of the attribute in the datastore representing the user's GUID. | | **GUID Type** | Indicates whether the GUID is stored in binary or text format. Microsoft Active Directory is always binary. Other LDAP stores most often use text. If you select Binary, make sure that the entered Entry GUID Attribute is also set as a binary attribute in the source LDAP datastore. Learn more in Setting advanced LDAP options. | | **Member of Group Attribute** | A multivalued user attribute containing the distinguished names (DNs) of the groups to which an entry belongs. This attribute only applies to some LDAP servers, such as Microsoft Active Directory. When this attribute doesn't apply, the **Group Member Attribute** is used instead. Microsoft Active Directory use both values to provide a two-way mapping between user and group objects. | | **Group Member Attribute** | The name of a multivalued group attribute used to track membership in the group using either DN or GUID values. | | **User objectClass** | The LDAP object class to which user entries belong, used to restrict search results to user entries only. The default value is:- `inetOrgPerson` if the **Data Source** is PingDirectory - `person` if the **Data Source** is Oracle Directory Server or Oracle Unifier Directory - `objectGUID` if the **Data Source** is Microsoft Active Directory | | **Group objectClass** | The LDAP object class to which group entries belong, used to restrict search results to group entries only. | | **Changed Users/Groups Algorithm** | The method by which PingFederate determines if user records have been updated or new records added, thus requiring provisioning updates at the target site. The options are:- **Active Directory USN**: For Microsoft Active Directory only, this algorithm queries for update sequence numbers on user records that are larger than the last time records were checked. - **Timestamp**: Queries for timestamps on user records that are not older than the last time records were checked. This check is more efficient from the perspective of the PingFederate provisioner but can be more time consuming on the LDAP side, particularly with Oracle Unified Directory and Oracle Directory Server. - **Timestamp No Negation**: Queries for timestamps on user records that are newer than the last time records were checked. This algorithm is recommended for Oracle Unified Directory and Oracle Directory Server. | | **USN Attribute** | The name of the attribute used to store the update sequence number. Applicable when the Microsoft Active Directory algorithm is chosen in the row above. | | **Timestamp Attribute** | The name of the attribute used to store the timestamp on user records. This attribute name is case-sensitive. Ensure the attribute name matches the name your directory uses. For example, in PingDirectory and Oracle, the attribute is modifyTimestamp, which has different capitalization than the attribute in Microsoft Active Directory, modifyTimeStamp. | | **Account Status Attribute** | The name of the attribute in which the user's account status, active or inactive, is stored. For example, Microsoft Active Directory = `userAccountControl` and Oracle Directory Server = `nsaccountlock`. | | **Account Status Algorithm** | The method by which PingFederate determines a user's account status. The values are:- **Active Directory Bitmap** for Microsoft Active Directory, which uses a bitmap for each user entry. Learn more about `userAccountControl` flags in [Use the UserAccountControl flags to manipulate user account properties](https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/useraccountcontrol-manipulate-account-properties) in the Microsoft documentation. - **Flag**: For Oracle Unified Directory, Oracle Directory Server, and other LDAP directories that use a separate attribute to store the user's status. When this option is selected, the **Flag Comparison Value** and **Flag Comparison Status** fields are also used. | | **Default Status** | Indicates the user's status if the attribute is missing. | | **Flag Comparison Value** | Indicates the value for the attribute, such as `nsaccountlock`, that PingFederate expects to be returned. The value is case-sensitive.Used when the Account Status Algorithm is set to **Flag**. | | **Flag Comparison Status** | Indicates whether the user is enabled (**true**)or disabled (**false**) when the flag has the value specified in the **Flag Comparison Value** field.For example, if the **Account Status Attribute** is set to `nsaccountlock`, the **Flag Comparison Value** is set to `true`, and the **Flag Comparison Status** is set to `false`, then any users with `nsaccountlock=true` are disabled.Used when the **Account Status Algorithm** is set to **Flag**. | If you're using PingDirectory, Microsoft Active Directory, Oracle Unified Directory, or Oracle Directory Server, you usually don't need to make changes on this tab unless your datastore uses a customized schema. If you're using a different LDAP directory, you must supply the required information on this tab unless you have defined a template for the datastore. Learn more in the `/pingfederate/server/default/conf/template/ldap-templates/sample.template.txt` file. ## Steps 1. Modify the settings, as needed. 2. Click **Next**.