Modifying source settings
You can modify the source settings for the datastore configuration in the PingFederate administrative console. You can add, change, and remove user information.
About this task
The Source Settings tab shows the default configuration of the datastore selected on the Source tab, including settings used by the PingFederate provisioner to determine when user information is added, changed, or removed.
See the following table for more information about each field.
Field | Description | ||
---|---|---|---|
Entry GUID Attribute |
The name of the attribute in the datastore representing the user’s GUID. |
||
GUID Type |
Indicates whether the GUID is stored in binary or text format. Microsoft Active Directory is always binary. Other LDAP stores most often use text.
|
||
Member of Group Attribute |
A multivalued user attribute containing the distinguished names (DNs) of the groups to which an entry belongs. This attribute only applies to some LDAP servers, such as Microsoft Active Directory. When this attribute doesn’t apply, the Group Member Attribute is used instead. Microsoft Active Directory use both values to provide a two-way mapping between user and group objects. |
||
Group Member Attribute |
The name of a multivalued group attribute used to track membership in the group using either DN or GUID values. |
||
User objectClass |
The LDAP object class to which user entries belong, used to restrict search results to user entries only. The default value is:
|
||
Group objectClass |
The LDAP object class to which group entries belong, used to restrict search results to group entries only. |
||
Changed Users/Groups Algorithm |
The method by which PingFederate determines if user records have been updated or new records added, thus requiring provisioning updates at the target site. The three choices are:
|
||
USN Attribute |
The name of the attribute used to store the update sequence number. Applicable when the Microsoft Active Directory algorithm is chosen in the row above. |
||
Timestamp Attribute |
The name of the attribute used to store the timestamp on user records.
|
||
Account Status Attribute |
The name of the attribute in which the user’s account status, active or inactive, is stored. For example, Microsoft Active Directory = |
||
Account Status Algorithm |
The method by which PingFederate determines a user’s account status. The values are:
|
||
Default Status |
Indicates the user’s status if the attribute is missing. |
||
Flag Comparison Value |
Indicates the value for the attribute, such as Used when the Account Status Algorithm is set to Flag. |
||
Flag Comparison Status |
Indicates whether the user is enabled or disabled when the flag has the value specified in the Flag Comparison Value field. Setting the value to For example, if the Account Status Attribute is set to Used when the Account Status Algorithm is set to Flag. |
If you are using PingDirectory, Microsoft Active Directory, Oracle Unified Directory, or Oracle Directory Server, in most cases no changes are needed on this tab unless your datastore uses a customized schema.
If you are using a different LDAP directory, you must supply the required information on this tab unless you have defined a template for the datastore. For more information, see the sample.template.txt
in the <pf_install>/pingfederate/server/default/conf/template/ldap-templates
directory.
Steps
-
Modify the settings, as needed.
-
Click Next.