--- title: Creating a service account for LDAP gateways description: Create a service account for your LDAP gateways in PingOne. component: pingone page_id: pingone:integrations:p1_creating_service_account_ldap_gateway canonical_url: https://docs.pingidentity.com/pingone/integrations/p1_creating_service_account_ldap_gateway.html revdate: June 20, 2024 page_aliases: ["p1_best_practices_configuring_active_directory_for_ldap_gateways.adoc"] section_ids: creating-the-service-account: Creating the service account configuring-the-service-account: Configuring the service account configuring-for-active-directory: Configuring for Active Directory steps: Steps choose-from: Choose from: granting-user-password-permissions: Granting user password permissions steps-2: Steps --- # Creating a service account for LDAP gateways Integrating a directory with the Lightweight Directory Access Protocol (LDAP) *(tooltip: \
\

An open, cross platform protocol used for interacting with directory services.\

\
)* gateway requires a dedicated service account. This service account is a universal requirement for any directory type you connect. The account acts as the essential bridge between PingOne and your directory, providing the necessary permissions for the gateway to: * Authenticate and maintain a secure connection. * Search and retrieve user data. * Manage user attributes and facilitate password updates. | | | | - | ------------------------------------------------------------------------------------ | | | These configurations require LDAP Gateway client application version 3.1.2 or later. | ## Creating the service account 1. Create a user account in an organization unit (OU) or other container from your target users. For example, `OU=ServiceAccounts`. 2. Create a new user, such as `CN=PingOne LDAP Gateway` | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Note the distinguished name (DN), you will need the full bind DN [when you set up the LDAP gateway](p1_gateways_overview.html).For example, `CN=PingOne LDAP Gateway,OU=ServiceAccounts,DC=example,DC=com`. | ## Configuring the service account Although specific configuration steps vary by directory type, a service account is a universal requirement for any directory you connect. At a minimum, the account requires permissions to search, read users, and reset or update passwords. Review the following requirements based on your specific use case: * Migration or inbound provisioning: The account must be able to search and read user data. To keep PingOne in sync with your local directory, the account also needs permission to read the change log or deleted objects. * Outbound provisioning or DaVinci: If you are pushing data from PingOne to your directory, the service account requires permissions to create and update user objects. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Grant these permissions only on the specific container, such as an organization unit (OU) that hold the users you intend to migrate or synchronize, rather than the entire directory. | ### Configuring for Active Directory For AD environments, follow these steps to establish the account and its location: ### Steps 1. Grant **Read** permission on each container with users to migrate or synchronize. 2. For outbound provisioning or DaVinci: If you are pushing data from PingOne to your directory, the service account requires **Write** permissions to create and update user objects. 3. For inbound provisioning through the LDAP gateway, ensure that the service account can read deleted entries (`cn=Deleted Objects`) to keep PingOne in sync when objects are deleted in AD: #### Choose from: * Make the service account an administrator. * Allow non-administrators to view the AD deleted objects container. Learn more in [Let non-administrators view deleted objects container](https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/non-administrators-view-deleted-object-container) in the Microsoft documentation. ## Granting user password permissions Manage user password changes and resets by enabling users to change their own passwords and administrators to reset user passwords. Instead of making changes to each user, AD also allows admins to apply permissions to whole hierarchies of users, such as an entire OU. ### Steps * To allow users to change their own passwords: 1. Right-click on the user group or name to which you want to grant password permissions and click **Properties**. 2. On the **Security** tab, select the **SELF** group of users, and select the **Allow** checkbox for **Change password** and the **Deny** checkbox for **Reset password**. 3. Click **Apply** and then **OK**. | | | | - | --------------------------------------------------------------------------------------------------------- | | | To disable users from changing their own passwords, select the **Deny** checkbox for **Change password**. | ![A screen capture of the Properties menu, Security tab with the SELF group selected, Change password set to Allow, and Reset password set to Deny.](_images/nzs1718051785248.png) * To allow admins to reset user passwords: 1. Right-click the **Employee user object**, click **Properties**, and then click the **Security** tab. 2. In the list of groups, select the **Service Account**. 3. Select the **Allow** checkbox for the following: * **Change password** * **Reset password** ![A screen capture of the Properties menu with Service Account selected with Change password and Reset password set to Allow.](_images/rkx1718204600512.png) 4. Click **Advanced**, find the service account entry, and click **Edit**. Ensure **Write pwdLastSet** is set to **Allow**. | | | | - | ------------------------------------------------------------------------------------------------------------------------------ | | | This is required to support force password reset on next sign-on, which sends an LDAP gateway request to set `pwdLastSet = 0`. | 5. Click **Apply** and then **OK**. * To add permissions to an entire OU: 1. Open **Active Directory Users and Computers**. 2. Right-click on the OU of the target users (for example, **Employees**), and then click **Properties**. 3. To create customizable permissions, on the **Security** tab, click **Advanced**, and then click **Add**. 1. In the **Permission Entry** window, click **Select a principal**. 2. Enter `Service Account` for object name and click **OK**. Ensure **Descendant User objects** is set to target the end users correctly. 3. Clear the default permissions and then select the desired permissions. For example, the recommended permissions for a service account are: * **Read all properties** * **Change password** * **Reset password** * **Write pwdLastSet** ![A screen capture of the Permission Entry menu for the Principal Service Account with Read all properties, Change password, and Reset password selected.](_images/unw1718205449470.png) 4. Click **OK**. 4. In the **Advanced Security Settings** window, click **Add**. 1. In the **Permission Entry** window, click **Select a principal**. 2. Enter `SELF` for object name and click **OK**. 3. Clear the default permissions and then select the desired permissions. For example, the recommended permission for **SELF** is **Change password**. ![A screen capture of the Permission Entry menu for the Principal SELF with Change password selected.](_images/eui1718903042914.png) 4. Click **OK**. 5. In the **Advanced Security Settings** window, click **Apply** and **OK**. 6. On the **Security** tab, click **Apply** and **OK**.