PingFederate Server

Modifying source settings

You can modify the source settings for the datastore configuration in the PingFederate administrative console. You can add, change, and remove user information.

About this task

The Source Settings tab shows the default configuration of the datastore selected on the Source tab, including settings used by the PingFederate provisioner to determine when user information is added, changed, or removed.

Screen capture illustrating the Source Settings tab, based on a Microsoft Active Directory user store.

See the following table for more information about each field.

Field Description

Entry GUID Attribute

The name of the attribute in the datastore representing the user’s GUID.

GUID Type

Indicates whether the GUID is stored in binary or text format. Microsoft Active Directory is always binary. Other LDAP stores most often use text.

If binary is selected, ensure that the entered Entry GUID Attribute is also set as a binary attribute in the source LDAP datastore. For more information, see Setting advanced LDAP options.

Member of Group Attribute

A multivalued user attribute containing the distinguished names (DNs) of the groups to which an entry belongs. This attribute only applies to some LDAP servers, such as Microsoft Active Directory. When this attribute doesn’t apply, the Group Member Attribute is used instead. Microsoft Active Directory use both values to provide a two-way mapping between user and group objects.

Group Member Attribute

The name of a multivalued group attribute used to track membership in the group using either DN or GUID values.

User objectClass

The LDAP object class to which user entries belong, used to restrict search results to user entries only. The default value is:

  • inetOrgPerson if the Data Source is PingDirectory

  • person if the Data Source is Oracle Directory Server or Oracle Unifier Directory

  • objectGUID if the Data Source is Microsoft Active Directory

Group objectClass

The LDAP object class to which group entries belong, used to restrict search results to group entries only.

Changed Users/Groups Algorithm

The method by which PingFederate determines if user records have been updated or new records added, thus requiring provisioning updates at the target site. The three choices are:

  • Active Directory USN – For Microsoft Active Directory only, this algorithm queries for update sequence numbers on user records that are larger than the last time records were checked.

  • Timestamp – Queries for timestamps on user records that are not older than the last time records were checked. This check is more efficient from the perspective of the PingFederate provisioner but can be more time consuming on the LDAP side, particularly with Oracle Unified Directory and Oracle Directory Server.

  • Timestamp No Negation – Queries for timestamps on user records that are newer than the last time records were checked. This algorithm is recommended for Oracle Unified Directory and Oracle Directory Server.

USN Attribute

The name of the attribute used to store the update sequence number. Applicable when the Microsoft Active Directory algorithm is chosen in the row above.

Timestamp Attribute

The name of the attribute used to store the timestamp on user records.

This attribute name is case-sensitive. Ensure the attribute name matches the name your directory uses. For example, in PingDirectory and Oracle, the attribute is modifyTimestamp, but in Microsoft Active Directory, the attribute is modifyTimeStamp. They have different capitalization.

Account Status Attribute

The name of the attribute in which the user’s account status, active or inactive, is stored. For example, Microsoft Active Directory = userAccountControl and Oracle Directory Server = nsaccountlock.

Account Status Algorithm

The method by which PingFederate determines a user’s account status. The values are:

  • Active Directory Bitmap for Microsoft Active Directory, which uses a bitmap for each user entry. For more information about userAccountControl flags, see Microsoft’s knowledge base.

  • Flag– For Oracle Unified Directory, Oracle Directory Server, and other LDAP directories that use a separate attribute to store the user’s status. When this option is selected, the Flag Comparison Value and Flag Comparison Status fields below are also used.

Default Status

Indicates the user’s status if the attribute is missing.

Flag Comparison Value

Indicates the value for the attribute, such as nsaccountlock, that PingFederate expects to be returned. The value is case-sensitive.

Used when the Account Status Algorithm is set to Flag.

Flag Comparison Status

Indicates whether the user is enabled or disabled when the flag has the value specified in the Flag Comparison Value field. Setting the value to true equals enabled, while setting the value to false equals disabled.

For example, if the Account Status Attribute is set to nsaccountlock, and the Flag Comparison Value is set to true, and the Flag Comparison Status is set to false, then any users with nsaccountlock=true are disabled.

Used when the Account Status Algorithm is set to Flag.

If you are using PingDirectory, Microsoft Active Directory, Oracle Unified Directory, or Oracle Directory Server, in most cases no changes are needed on this tab unless your datastore uses a customized schema.

If you are using a different LDAP directory, you must supply the required information on this tab unless you have defined a template for the datastore. For more information, see the sample.template.txt in the <pf_install>/pingfederate/server/default/conf/template/ldap-templates directory.

Steps

  1. Modify the settings, as needed.

  2. Click Next.