---
title: Editing an inbound rule for a connection through an LDAP gateway
description: You can edit an existing rule to change the custom filter and attribute mapping in PingOne.
component: pingone
page_id: pingone:integrations:p1_edit_inbound_ldap_rule
canonical_url: https://docs.pingidentity.com/pingone/integrations/p1_edit_inbound_ldap_rule.html
revdate: Sep 12, 2025
section_ids:
  steps: Steps
---

# Editing an inbound rule for a connection through an LDAP gateway

You can edit an existing inbound rule for a connection through an LDAP gateway to change the custom filter and attribute mapping.

|   |                                                                           |
| - | ------------------------------------------------------------------------- |
|   | You can't change the source or target connection after a rule is created. |

## Steps

1. In the PingOne admin console, go to **Integrations > Provisioning**.

2. On the **Rules** tab, click the appropriate rule to open the details panel:

3. On **Overview** tab, click the **Pencil** icon ([icon: pencil, set=fa]) to edit the **Name** or **Description**.

4. On the **Directory** tab click [icon: pencil, set=fa]to enter or edit the following:

   * **Directory Path (LDAP Base DN)**: Specifies the LDAP directory location from where users and groups are synced into PingOne.

   * **User Relative DN**: Specifies the location of user accounts in your directory.

   * **Groups Relative DN**: Specifies the location of group accounts in your directory.

   * **Add Condition**: Adds an LDAP filter to define the users to provision to PingOne. Learn more in [Distinguished Names](https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/distinguished-names) in the Microsoft LDAP documentation.

5. On the **Attribute Mapping** tab, click [icon: pencil, set=fa]and enter or edit the following:

   * On the **Users** tab:

     * To add an attribute mapping, click **[icon: plus, set=fa]Add** and enter the source and target attributes.

     * To add a new source attribute, enter the attribute name. In the list, select the **ADD:*ADD:\<attribute-name>*** attribute. Map the added attribute to a target attribute.

     * To use the expression builder, click the **Gear** icon ([icon: gear, set=fa]). Learn more in [Using the expression builder](../pingone_expression_language/p1_use_expression_builder.html).

     * To delete a mapping, click **Delete** icon ([icon: trash, set=fa]).

       |   |                                                                      |
       | - | -------------------------------------------------------------------- |
       |   | On the **Groups** tab, the group attribute mappings can't be edited. |

       |   |                                                                                                                                                                                                                      |
       | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
       |   | Group membership updates aren't immediately synced to PingOne. To sync group membership, you must either modify an additional user attribute or initiate a manual synchronization through the PingOne admin console. |

6. On the **Onboarding Settings** tab, click [icon: pencil, set=fa]and enter or edit the following:

   * In the **Populations** list, select a population. When users are synced to PingOne, they're added to the specified population.

   * For **Authoritative Identity Provider**, PingOne is automatically set as the authoritative identity provider (IdP).

   * Select the **Set default password for new users** checkbox to specify the default password in PingOne for users synced in from an external identity store as a source.

   * Click **Define Password Logic** to create a complex password using the functions in the expression builder. Learn more in [Using the expression builder](../pingone_expression_language/p1_use_expression_builder.html).

   * Select the **Force password reset on first sign on** checkbox to force users to reset their password the first time they authenticate through PingOne.

   * In the **MFA Device Management** list, select one of the following to control how the provisioner can impact multi-factor authentication (MFA) devices that are managed by a PingOne service, such as PingOne MFA and PingID:

     * **Merge with devices in PingOne** (default): Select this option to add a device from the identity store into a user's existing device in PingOne.

     * **Overwrite devices in PingOne**: Select this option to replace configured user devices in PingOne from the identity store. Only new devices mapped under attribute mappings are added.

     * **Do not manage devices**: Select this option to disable device management. This option is recommended for users using PingID in the same environment. Inbound provisioning and PingID use the same device nicknames and cause device unpairing, which this option helps avoid.

7. Click **Save**.