--- title: Creating an LDAP gateway provisioning connection description: Use a gateway connection in PingOne to set up provisioning to or from a user store through an LDAP gateway. component: pingone page_id: pingone:integrations:p1_create_provisioning_connection_gateway canonical_url: https://docs.pingidentity.com/pingone/integrations/p1_create_provisioning_connection_gateway.html revdate: July 10, 2024 page_aliases: ["p1_ad_attributes.adoc", "p1_pd_attributes.adoc", "p1_default_attribute_mapping_for_inbound_gateway.adoc", "p1_provisioning_gateway_known_issues.adoc"] section_ids: before-you-begin: Before you begin steps: Steps result: Result next-steps: Next steps p1_ad_attributes: Active Directory attributes p1_pd_attributes: PingDirectory attributes p1_default_attribute_inbound: Default attribute mapping for inbound provisioning through an LDAP gateway active-directory-default-attributes: Active Directory default attributes pingdirectory-default-attributes: PingDirectory default attributes p1_provisioning_gateway_issues: Known issues for provisioning through an LDAP gateway --- # Creating an LDAP gateway provisioning connection Use a gateway connection to set up provisioning to or from an Active Directory (AD) or PingDirectory user store through a new or existing gateway configuration. Creating an LDAP gateway provisioning connection migrates users from an LDAP gateway and into PingOne. ## Before you begin Make sure: * You have an existing LDAP gateway that's enabled and has a healthy connection. Learn more in [Gateways](p1_gateways.html). For provisioning through an LDAP gateway, PingOne supports only AD or PingDirectory user stores. | | | | - | ------------------------------------------------------------------------------------------------------------------ | | | For LDAP gateways, you can configure inbound or outbound provisioning. RADIUS gateways don't support provisioning. | * You have an LDAP gateway that isn't configured for just-in-time (JIT) provisioning. You can't enable the **Enable migration of new users upon first authentication** option if you want to use the gateway for outbound or inbound sync. Learn more in [Adding a user type](p1_add_a_user_type.html). * You have an LDAP gateway version 2.3.3 or later for inbound provisioning. Previous versions of the LDAP gateway don't support inbound provisioning. * The LDAP gateway version is 4.0 or later to use group membership provisioning. * The service account reads deleted entries, `cn=Deleted Objects`, to keep PingOne in sync when objects are deleted in AD for inbound provisioning. * The service account can access all users in the specified base distinguished name (DN). | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------ | | | If the service account doesn't have access to deleted objects, such as a user that's been deleted, the service account can't detect that change. | * You have an LDAP gateway that makes outbound WebSocket connections to specific WebSocket endpoints. Learn more in [Before configuring an LDAP gateway](p1_gateway_prereqs.html). * You have an LDAP gateway that's able to establish an outbound connection to auth.pingone.com and api.pingone.com or the equivalent URLs for your region. Learn more in [PingOne URLs by geographic region](../introduction_to_pingone/p1_introduction.html#p1-urls-by-region). * You've established secure WebSocket connections on those relevant endpoints. ## Steps 1. In the PingOne admin console, go to **Integrations > Provisioning**. 2. Click the **[icon: plus, set=fa]**icon and then click **New Connection**. 3. In the **Create a New Connection** modal, select **Gateway**. 4. Select an existing gateway or click **[icon: plus, set=fa]New Gateway** to set up a new gateway. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------- | | | The gateway must be active and have a valid connection to an LDAP directory. Learn more about creating a gateway in [Gateways](p1_gateways.html). | 5. Click **Next**. 6. In the **Configure Preferences** and **Users Actions** sections, configure the following: | Field | Description | | ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Enable users creation** | Determines whether to create a user in the target identity store when the user is created in the source identity store. | | **Enable users updation** | Determines whether to update user attributes in the target identity store when the user is updated in the source identity store.If **Enable users updation** is selected, you can choose to select **Enable users disable** which determines whether to disable a user in the target identity store when the user is disabled in the source identity store. | | **Enable users deprovision** | Determines whether to deprovision a user in the target identity store when the user is deprovisioned in the source identity store.If Enable users deprovision is selected, the following configurations appear.- **Remove Action**: Determines whether to remove or disable a user in the target identity store when the user is deleted in the source identity store. Select **Delete** or **Disable**. Remove Action is only available if you select Enable users disable. - **Deprovision on rule deletion**: Determines whether to deprovision users if the associated provisioning rule is deleted. | 7. Click **Save**. 8. To enable the connection, click the toggle at the top of the details panel to the right (blue). | | | | - | ------------------------------------------------------------------------- | | | You can disable the connection by clicking the toggle to the left (gray). | ## Result When configuring inbound provisioning, a PingOne Directory connection is automatically added and the following **Groups Actions (LDAP only)** and **Memberships Actions (LDAP only)** attributes are available: | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Group membership updates aren't immediately synced to PingOne. To sync group membership, you must either modify an additional user attribute or initiate a manual synchronization through the PingOne admin console. Learn more in [Creating an inbound rule for a connection through an LDAP gateway](p1_create_inbound_provisioning_rule_gateway.html). | | Field | Description | | --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Enable groups creation** | Creates groups in PingOne when they're created in the LDAP gateway. | | **Enable groups rename** | Updates group names in PingOne when changes are made in the LDAP gateway. | | **Enable groups deletion** | Removes groups from PingOne when deleted from the LDAP gateway.If you enable groups deletion, you can choose to select **Delete groups on rule deletion**, which deletes provisioned groups in PingOne when the rule is deleted. | | **Enable memberships sync** | Controls adding and removing memberships to groups in PingOne. | ## Next steps * Define which users are provisioned from PingOne to LDAP gateway and how attributes are mapped between PingOne and the LDAP directory. Learn more in [Creating an outbound rule for a connection through an LDAP gateway](p1_create_outbound_provisioning_rule_gateway.html). * Configure an LDAP gateway filter that specifies which users or groups to provision from LDAP to PingOne. Learn more in [Creating an inbound rule for a connection through an LDAP gateway](p1_create_inbound_provisioning_rule_gateway.html). ## Active Directory attributes The following table lists common Active Directory attributes that can be mapped for user provisioning. | Attribute | Description | | ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | | cn (Required) | The common name for the user account. | | sAMAccountName (Required) | The user name for the user account. | | Given Name | The first name of the user. | | sn | The last name (surname) of the user. | | Display Name | The name as it will appear in the PingOne identity store. | | Mail | The email address for the user. | | Mobile Number | The mobile telephone number for the user. | | Telephone Number | The telephone number for the user. | | Title | The user's title, such as Manager or CEO. | | Active | The status of the user account. | | Password | The password for the user. | | ResetPassword | Determines whether a user must reset their password the next time they sign on. The default value is false, but it can be mapped to an attribute. | | Street Address | The physical address for the user. | | Postal Code | The ZIP code or postal code for the user. | | l | The user's default location for purposes of localizing things like currency, date and time format, or numerical representations. | | Country Abbreviation | The country code for the user. | | st | The region for the user. | ## PingDirectory attributes The following table lists common PingDirectory attributes that can be mapped for user provisioning. | Attribute | Description | | ------------------ | -------------------------------------------------------------------------------------------------------------------------------- | | uid (Required) | The user name for the user account. Typically mapped to `Username`. | | sn (Required) | The last name (surname) of the user. Typically mapped to `Family Name`. | | cn (Required) | The common name for the user account. Typically mapped to `Username`. | | Given Name | The first name of the user. | | Mail | The email address for the user. | | Mobile Phone | The mobile telephone number for the user. | | Telephone Number | The telephone number for the user. | | Title | The user's title, such as Manager or CEO. | | Active | The status of the user account. | | Password | The password for the user. | | Street Address | The physical address for the user. | | Postal Code | The ZIP code or postal code for the user. | | l | The user's default location for purposes of localizing things like currency, date and time format, or numerical representations. | | st | The region for the user. | | Preferred Language | The primary language for the user. | ## Default attribute mapping for inbound provisioning through an LDAP gateway The following table lists the default attributes for Active Directory and PingDirectory that can be mapped to PingOne user attributes for user provisioning. ### Active Directory default attributes | Attribute | Description | | -------------- | --------------------------------------------------- | | sAMAccountName | The user's username. | | sn | The user's last name (surname). | | Given Name | The user's first (given) name. | | Mail | The user's email address. | | Active | The status of the user account in Active Directory. | ### PingDirectory default attributes | Attribute | Description | | ---------- | ------------------------------------------------ | | uid | The user's username. | | Given Name | The user's first (given) name. | | sn | The user's last name (surname). | | Mail | The user's email address. | | Active | The status of the user account in PingDirectory. | ## Known issues for provisioning through an LDAP gateway The following are known issues or limitations with provisioning through an LDAP gateway. * PingOne does not support concurrency for LDAP inbound provisioning using the same gateway connection, even with different User Base DNs. * For bi-directional LDAP sync, ensure that the attribute mappings on both rules are identical. | | | | - | ------------------------------------------------------------------------------------ | | | PingOne does not maintain directory hierarchy on outbound to be the same as inbound. | * In the expression builder, you can use only LDAP attributes that are part of the default attribute list. As a workaround, you can use the ADD feature to map the needed attribute and use it in the expression. * The LDAP filter currently does lexicographical comparison for numeric values. * In Active Directory, deleting an OU that contains users might not deprovision users in PingOne. * PingOne does not support `moddn` operations. * PingOne does not support updating the `uid` attribute value.