--- title: Setting up PingDirectory for customer identities description: PingFederate can optionally store customer identities in PingDirectory. After you have installed PingDirectory, update the LDAP schema with a new object class and a couple attributes to store customer identities and their connections. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_setting_up_pd_for_customer_identit canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_setting_up_pd_for_customer_identit.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: June 18, 2025 section_ids: about-this-task: About this task steps: Steps related-links: Related links --- # Setting up PingDirectory for customer identities PingFederate can optionally store customer identities in PingDirectory. After you have installed PingDirectory, update the LDAP schema with a new object class and a couple attributes to store customer identities and their connections. ## About this task Update the LDAP schema with a new object class and a couple attributes using an LDIF file provided. To optimize performance, apply updates in indexes to the directory as well. In addition, you must configure in PingFederate an LDAP datastore connection to your PingDirectory and an LDAP Username password credential validator (PCV) *(tooltip: \
\

Configures a centralized location for user credential validation. The validator instances can then be referenced by PingFederate.\

\
)* instance for the HTML Form Adapter to validate user credentials. If you have previously created these components, you can reuse them. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Skip this configuration if your use case does not involve registration or profile management. For more information, see [Enabling third-party identity providers without registration](pf_enabling_thirdparty_identity_providers_without_registration.html). | ## Steps 1. Update the LDAP schema. 1. Sign on to the PingDirectory administrative console. 2. Go to the **LDAP Schema > Schema Utilities** screen. 3. Click **Import Schema Element**. 4. Copy the schema changes from the `/pingfederate/server/default/conf/local-identity/ldif-scripts/local-identity-pingdirectory.ldif` file and paste them into the text area. If you are creating a new organizational unit as part of the LDIF import, edit the DN information. 5. Click **Import**. 2. Create an equality index for the `pf-connected-identity` attribute. Use PingDirectory's `dsconfig` utility to create this index. The `dsconfig` utility is interactive. You can also provide inputs as command arguments. For example, the following samples create the `pf-connected-identity` index. ```shell $ bin/dsconfig create-local-db-index \ --backend-name userRoot \ --index-name pf-connected-identity \ --set index-type:equality ``` After adding the index, use the `rebuild-index` utility to build the indexes. For instance, the following sample builds the required index. ```shell $ bin/rebuild-index \ --baseDN "dc=example,dc=com" \ --index pf-connected-identity ``` 3. Create an LDAP datastore connection to your PingDirectory on **System > Data Stores**. If you have already created an LDAP datastore connection to your PingDirectory, you can reuse it. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | When configuring the LDAP datastore connection to PingDirectory, you specify your service account with a Bind distinguished name (DN) *(tooltip: \
\

A name uniquely identifying an object within the hierarchy of a directory tree.\

\
)* and password. This service account requires specific access control instruction (ACI) *(tooltip: \
\

An instruction or rule that can be used to grant or deny access to users to perform operations on a server.\

\
)*s in PingDirectory to enable PingFederate's Local Identity Profile (LIP) functionalities.The specific ACIs depend on which LIP features you enable, like user creation, authentication, password reset, profile updates, or account unlock.You can find detailed ACI examples and best practices in the following Ping Identity Support article: [Configuring PingDirectory and PingFederate for Self-service Password Reset](https://support.pingidentity.com/s/article/Configuring-PingDirectory-and-PingFederate-for-Self-service-Password-Reset). | 4. Create an instance of the LDAP Username PCV on **System > Password Credential Validators** to validate user credentials stored in PingDirectory. If you have already created an LDAP Username PCV instance, you can reuse it. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Later you will create a local identity profile as part of the customer IAM configuration. The **Search Base** value here should match the **Base DN** value defined in the local identity profile. For more information, see [Configuring LDAP base DN and attributes](pf_configuring_ldap_base_dn_attributes.html). | 5. For the local identity profile management page to work correctly, enable PingDirectory's `ds-pwp-state-json` virtual attribute. Use PingDirectory's `dsconfig` utility and a command like the following to enable the `ds-pwp-state-json` virtual attribute for users with the object class `person`: ``` dsconfig set-virtual-attribute-prop \ --name "Password Policy State JSON" \ --set enabled:true \ --set require-explicit-request-by-name:true \ --set "filter:(objectClass=person)" ``` ## Related links * [Installing the Server](https://docs.pingidentity.com/pingdirectory/latest/installing_the_pingdirectory_suite_of_products/pd_suite_installing_the_servers.html) * [Using the schema editor utilities](https://docs.pingidentity.com/pingdirectory/latest/pingdirectory_server_administration_guide/pd_ds_schema_editor_utilities.html) * [Working with indexes](https://docs.pingidentity.com/pingdirectory/latest/pingdirectory_server_administration_guide/pd_ds_work_with_indexes.html) * [Configuring an LDAP connection](help_datasourcetasklet_ldapconfigstate.html) * [Configuring the LDAP Username Password Credential Validator](pf_configure_ldap_username_pcv.html)