---
title: Configuring a PingOne LDAP Gateway datastore
description: The PingOne Lightweight Directory Access Protocol (LDAP) Gateway reduces the complexity of moving to the cloud while maintaining connectivity to on-premise end-user data.
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:pf_configuring_p1_ldap_gateway_datastore
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_configuring_p1_ldap_gateway_datastore.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: July 10, 2024
section_ids:
  before-you-begin: Before you begin
  about-this-task: About this task
  steps: Steps
---

# Configuring a PingOne LDAP Gateway datastore

The PingOne Lightweight Directory Access Protocol (LDAP) *(tooltip: \<div class="paragraph">
\<p>An open, cross platform protocol used for interacting with directory services.\</p>
\</div>)* Gateway reduces the complexity of moving to the cloud while maintaining connectivity to on-premise end-user data.

## Before you begin

Make sure you have the following in place:

* A PingOne environment configured with an LDAP gateway. Learn more in [Gateways](https://docs.pingidentity.com/pingone/integrations/p1_gateways.html) and [Adding a LDAP Gateway](https://docs.pingidentity.com/pingone/integrations/p1_add_ldap_gateway.html).

* A connection between PingFederate and PingOne. Learn more in [Creating connections to PingOne](help_p1connections_p1connectioncreate.html).

## About this task

When PingFederate is deployed off-premise as a PingOne Advanced Service or in your own cloud deployment, you can configure the PingOne LDAP Gateway datastore to enable PingFederate to access an on-premise LDAP directory for HTML Form Adapter functionality, provisioning, customer identity access management (CIAM), and other areas.

When users authenticate through the PingFederate HTML form adapter that involves the PingOne LDAP Gateway, they aren't provisioned into PingOne. Learn more about provisioning into PingOne using an LDAP gateway in [Configuring provisioning](https://docs.pingidentity.com/pingone/integrations/p1_configure_provisioning_overview.html) in the PingOne documentation.

|   |                                                                                                                                                                                                                    |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|   | You can't use the PingOne LDAP Gateway for grant storage, persistent authentication sessions, and OAuth client records. All other LDAP datastore functionality works in the same way as the direct LDAP datastore. |

## Steps

1. Go to **System > Data & Credential Stores > Data Stores**.

2. In the **Data Stores** page, click **Add New Data Store**.

3. On the **Data Store Type** tab, enter a name for the datastore in the **Name** field.

4. In the **Type** list, select **PingOne LDAP Gateway**.

5. (Optional) To mask attribute values returned from this datastore in PingFederate logs, select the **Mask Values in Log** checkbox.

6. Click **Next**.

7. In the **LDAP Gateway Configuration** page, configure your LDAP Gateway as follows.

   1. In the **PingOne Environment** list, select your PingOne environment.

   2. In the **PingOne LDAP Gateway** list, select your PingOne LDAP gateway.

8. Click **Test Connection** to determine whether the administrative node can communicate with the specified datastore.

   |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
   | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | * Datastore validation isn't enabled during configuration, which lets you configure datastores without requiring a successful connection between the administrative node and the datastore. You can also save the datastore even if the connection isn't currently successful.

   * Due to the implementation of Client TLS Certificate Authentication in Active Directory, when the **LDAP Type** is **Active Directory** and the **Authentication Method** is **Client TLS Certificate**, the connection test always succeeds, even when an incorrect certificate is selected. This isn't the case when PingFederate attempts to retrieve data from the datastore because the connection will fail to bind. |

9. Click **Advanced** to configure LDAP attributes to be handled as binary data.

10. Click **Next** to view the summary of your LDAP gateway datastore configuration.

11. Click **Save**.