PingOne

Best practices for configuring Active Directory for LDAP gateways

This guide provides an overview of the recommended configuration for integrating AD with PingOne Lightweight Directory Access Protocol (LDAP) gateways, including setting up the service account with the required permissions and granting the permissions for user password changes and resets.

These configurations in AD require LDAP Gateway client application 3.1.2 or later.

In this guide, the example gateway is used to manage users in the Employees organizational unit (OU):

Bind DN: CN=Service Account,OU=ServiceAccounts,OU=PingOneLDAPGateway

Search Base DN: OU=Employees,OU=PingOneLDAPGateway

Setting up the service account

About this task

Set up the service account to manage permissions for the client:

Steps

  1. Set the service account as the bind DN in the LDAP gateway.

    Service Account should be in a separate OU from the target users (Employees in this example).

    A screen capture of the Service Account in Active Directory.
  2. Grant Read permissions for each Search Base DN in the gateway’s user types.

  3. For inbound provisioning through the LDAP gateway, ensure that the service account can read deleted entries (cn=Deleted Objects) to keep PingOne in sync when objects are deleted in AD:

    Choose from:

Granting user password permissions

About this task

Manage user password changes and resets by enabling users to change their own passwords and administrators to reset user passwords.

Instead of making changes to each user, AD also allows admins to apply permissions to whole hierarchies of users, such as an entire OU.

Steps

  • To allow users to change their own passwords:

    1. Right-click on the user group or name to which you want to grant password permissions and click Properties.

    2. On the Security tab, select the SELF group of users, and select the Allow checkbox for Change password and the Deny checkbox for Reset password.

    3. Click Apply and then OK.

      To disable users from changing their own passwords, select the Deny checkbox for Change password.

    A screen capture of the Properties menu, Security tab with the SELF group selected, Change password set to Allow, and Reset password set to Deny.
  • To allow admins to reset user passwords:

    1. Right-click the Employee user object, click Properties, and then click the Security tab.

    2. In the list of groups, select the Service Account and select the Allow checkbox for Change password and Reset password.

      A screen capture of the Properties menu with Service Account selected with Change password and Reset password set to Allow.
    3. Click Apply and then OK.

  • To add permissions to an entire OU:

    1. Open Active Directory Users and Computers.

    2. Right-click on the OU of the target users (for example, Employees), and then click Properties.

    3. To create customizable permissions, click the Security tab, click Advanced, and then click Add.

      1. In the Permission Entry window, click Select a principal.

      2. Enter Service Account for object name and click OK.

      3. Clear the default permissions and then select the desired permissions.

        For example, the recommended permissions for a service account are:

        • Read all properties

        • Change password

        • Reset password

          A screen capture of the Permission Entry menu for the Principal Service Account with Read all properties, Change password, and Reset password selected.
      4. Click OK.

    4. In the Advanced Security Settings window, click Add.

      1. In the Permission Entry window, click Select a principal.

      2. Enter SELF for object name and click OK.

      3. Clear the default permissions and then select the desired permissions.

        For example, the recommended permission for SELF is Change password.

      A screen capture of the Permission Entry menu for the Principal SELF with Change password selected.
      1. Click OK.

    5. In the Advanced Security Settings window, click Apply and OK.

    6. In the Security tab, click Apply and OK.