---
title: Creating an outbound rule for a connection through an LDAP gateway
description: Create a rule to define which users are provisioned in PingOne.
component: pingone
page_id: pingone:integrations:p1_create_outbound_provisioning_rule_gateway
canonical_url: https://docs.pingidentity.com/pingone/integrations/p1_create_outbound_provisioning_rule_gateway.html
revdate: June 4, 2025
section_ids:
  before-you-begin: Before you begin
  steps: Steps
  result: Result
  p1_example_user_filters: Example user filters
  example-1: Example 1
  example-2: Example 2
  example-3: Example 3
  example-4: Example 4
---

# Creating an outbound rule for a connection through an LDAP gateway

You can create an outbound rule to define which users are provisioned and how attributes are mapped between PingOne and the LDAP directory.

|   |                                                                                                                                                                                          |
| - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | If an LDAP gateway is deleted, provisioning and authentication policy references should be updated accordingly. Learn more in [Deleting an LDAP gateway](p1_deleting_ldap_gateway.html). |

## Before you begin

Make sure you:

* Create an LDAP gateway connection.

  |   |                                                                                                                                                                                                                                                    |
  | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
  |   | The connection must be enabled before you can use it in a rule. Learn more in [Connections](p1_connections_provisioning.html).Not all provisioning connection types support this provisioning. Learn more in [Provisioning](p1_provisioning.html). |

* Have the relative distingueshed name (RDN) attribute that specifies the relative portion of the distinguished name (DN). This uniquely identifies the user in the LDAP directory.

* Have the directory path, LDAP base distinguished name (DN). This specifies the LDAP directory location from where users and groups are synced into PingOne.

## Steps

1. In the PingOne admin console, go to **Integrations > Provisioning**.

2. Click **[icon: plus, set=fa]**and then click **New Rule**.

3. For **Sync Direction**, select **PingOne as Source**.

4. For **Available Connections**, click **[icon: plus, set=fa]**next to the appropriate LDAP gateway connection to set it as the target and then click **Continue**.

5. In the **Rule Details** panel, enter a **Name** and **Description** for the rule and then click **Next**.

6. In the **Directory Configuration** panel, set directory settings for users and groups:

   * In the **Directory Path (LDAP Base DN)** field, enter the LDAP base DN that specifies the LDAP directory location from where users and groups are synced into PingOne. Learn more in [Distinguished Names](https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/distinguished-names) in the Microsoft LDAP documentation.

   * In the **RDN Attribute** field, select the PingOne attribute that will map to the RDN attribute. The RDN attribute is the relative portion of the DN that uniquely identifies the user in the LDAP directory

     |   |                                                                                                                                                                                                |
     | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
     |   | The default attributes are based on the directory type of the gateway used.- For Active Directory, `RDN` defaults to `cn`.

     - For PingDirectory and LDAPv3 directory, `RDN` defaults to `uid`. |

     * Enter the first condition:

       * Select **All** or **Any** to determine how the linked conditions will be evaluated: Boolean logical AND or OR.

       * **Attribute**: The user attribute on which to filter.

       * **Operator**: Supports operators `sw` (starts with), `ew` (ends with), `co` (contains), `eq` (equals) and is case-sensitive for software as a service (SaaS) provisioners.

       * **Value**: Enter the appropriate value.

         |   |                                                                                                                                                                                                                                                      |
         | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
         |   | If you select a group in the filter, updating or deleting the group can cause the provisioning rule to resync. The filter will also include all users with any kind of membership in the group. Learn more in [Groups](../directory/p1_groups.html). |

     * (Optional) Click **Add [icon: plus, set=fa]**to add another condition or condition set.

     * To delete a condition, click the **Delete** icon ([icon: trash, set=fa]).

7. Click **Next**.

8. In the **Attribute Mapping** panel, map attributes between the source and PingOne to ensure users are provisioned correctly.

   |   |                                                                                                                                                                   |
   | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | The default attributes are based on the directory type of the gateway used. For outbound provisioning, the `RDN` attribute defaults to `cn` for Active Directory. |

   * To add an attribute mapping, click **[icon: plus, set=fa]Add** and enter the source and target attributes.

   * To use the expression builder, click the **Gear** icon ([icon: gear, set=fa]). Learn more in [Using the expression builder](../pingone_expression_language/p1_use_expression_builder.html).

     You can also use **Expression** list values in the expression builder to create advanced expressions, such as conditional statements. Some attributes have metadata that define potential values.

     For example, for Salesforce attribute mapping, you can see a list of values from Salesforce in the form of an **Expression** list. In the expression builder, enter a single quote to see potential values.

     You can use a switch statement or an if-else statement to evaluate an expression based on a pattern match.

     For example, to match an `accountId` attribute, enter the following in the expression builder:

     ```
     #core.switchExpr(#root.accountId, '0000EXAMPLEID', 'Valid' , 'Invalid')
     ```

     For a switch statement with multiple cases and a match, enter the following in the expression builder:

     ```
     #core.switchExpr(#root.accountId, '0000EXAMPLEID1', 'Full Access', '0000EXAMPLEID2', 'Restricted Access' , '0000EXAMPLEID3', 'Read-only Access', 'No Access')
     ```

     |   |                                                                            |
     | - | -------------------------------------------------------------------------- |
     |   | The email attribute mapping is checked by default and included in updates. |

   * To delete a mapping, click [icon: trash, set=fa].

9. Click **Save**.

10. To enable the rule, click the toggle at the top of the details panel to the right (blue).

    |   |                                                                     |
    | - | ------------------------------------------------------------------- |
    |   | You can disable the rule by clicking the toggle to the left (gray). |

## Result

The **Sync Status** appears and the rule is listed under **Rules**. Learn more in [Sync status](p1_provisioning_sync_status.html).

## Example user filters

This section shows some example user filters to define users for provisioning.

### Example 1

A filter that includes users from the USA and Canada. Include users that match the following:

Country Code Equals **US**

OR

Country Code Equals **CA**

![A screen capture of a user filter that matches users from the US and Canada](_images/eif1676044320679.png)

### Example 2

A filter that includes users from the following populations:

Population Name Equals **Marketing**

OR

Population Name Equals **HR**

![A screen capture of a user filter that matches users from the Marketing and HR populations](_images/cbk1676044354415.png)

### Example 3

A filter that includes enabled users from the following populations:

Population Name Equals **Marketing**

OR

Population Name Equals **HR**

AND

Enabled Equals **true**

![A screen capture of a user filter that matches enabled users from the Marketing and HR populations](_images/xxn1676044395316.png)

### Example 4

A filter that includes users from the Engineering and Marketing groups. Include users that match the following:

Group Names Contains **Engineering**

OR

Group Names Contains **Marketing**

![A screen capture of a user filter that matches users from the Engineering and Marketing groups](_images/fdg1676044441287.png)