--- title: Specifying directory properties and attributes description: Use these instructions to initiate ways to specify methods for PingFederate to search for particular user data. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_specify_directory_properties_and_attributes canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_specify_directory_properties_and_attributes.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 2, 2024 section_ids: about-this-task: About this task steps: Steps choose-from: Choose from: example: Example --- # Specifying directory properties and attributes Use these instructions to initiate ways to specify methods for PingFederate to search for particular user data. ## About this task On the **LDAP Directory Search** window, specify the branch of your directory hierarchy where you want PingFederate to look up user data. For more information about each field, refer to the following table. | Field | Description | | --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Base DN** | The base distinguished name (DN) of the tree structure in which the search begins. This field is optional if records are located at the root of the directory. | | **Search Scope** | The node depth of the query. Select **Subtree** (the default value), **One level** or **Object**. | | **Root Object Class** | The object class containing the desired attributes. | | **Attributes** | A list of attributes based on the selected **Root Object Class** value. | | **Option**(optional) | The attribute option for the selected attribute. | ## Steps 1. (Optional) Specify a base DN. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Choose a base DN that is as specific as possible for your search. A broad base DN can result in longer search times and increased network traffic, while a narrow base DN can help ensure that your search is accurate and efficient. | 2. Select a search scope. 3. (Optional) Click **View Attribute Contract** to determine what attributes to look up. 4. Select a root object class, an attribute, and, optionally, enter an **Option**. Click **Add Attribute**. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You do not have to add an attribute here to use it as part of a search filter. Add only the attributes that are required by subsequent sibling configuration items, such as contract fulfillment or token authorization. Any added attributes that are left unused are removed when the configuration is saved. | ### Choose from: * Microsoft Active Directory If you choose the `memberOf` attribute, an optional checkbox, **Nested Groups**, appears on the right. Select this checkbox if you want PingFederate to query for groups the end users belong to directly and indirectly through nested group membership (if any) under the base DN. For example, if you have three groups under a base DN: Canada, Washington and Seattle. Seattle is a member of Washington. Ana Smith is an end user and a member of Seattle. If the **Nested Groups** checkbox is selected, when PingFederate queries for Ana's `memberOf` attribute values, the expected results are Seattle and Washington. When the **Nested Groups** checkbox is not selected (the default), the expected result is Seattle. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------- | | | Do not enter any value for the **Option** field. Only the attributes that are defined in the directory server schema can be returned. | * Oracle Directory Server or Oracle Unified Directory Choose `isMemberOf` under **Attribute** for nested group membership. Learn more in [isMemberOf](https://docs.oracle.com/cd/E29127_01/doc.111170/e28967/ismemberof-5dsat.htm) in the Oracle documentation. For information related to Oracle Unified Directory, go to [Fusion Middleware Administering Oracle Unified Directory](https://docs.oracle.com/cd/E52734_01/oud/OUDAG/toc.htm) and search for *memberof user attributes*. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you need to include `tokenGroups` as one of the attributes, select **Object** as the search scope and enter a base DN matching the subject DN of the authenticated user—you can use variables from the authentication source (an adapter or an authentication policy contract) or results from the previous lookup in the base DN to fulfill this requirement. | 5. Repeat step 4 to add more attributes as needed. ## Example Example Suppose you want to map the `sn` Active Directory (AD) user attribute into an OpenID Connect policy. The users for this use case reside under a specific container on your directory server, `OU=West, DC=example, DC=com`. On the **LDAP Directory Search** window, enter `OU=West, DC=example, DC=com` as the base DN, keep the default **Search Scope** value (**Subtree**), select **\** from the **Root Object Class** list, select the `sn` AD user attribute, and click **Add Attribute**.