Before configuring an LDAP gateway
Before you set up an Lightweight Directory Access Protocol (LDAP) gateway, ensure that you have the following information.
Details about the directory
You’ll need the following information about the LDAP directory:
-
The host name and port for all server instances.
-
A service account from the directory server that the PingOne gateway will use to access the directory (
bind DN
andbind password
).Learn more about configuring the service account and granting the required permissions in Best practices for configuring Active Directory for LDAP gateways.
The service account must be able to search for users in the directory by username.
-
Whether the directory instances support TLS and StartTLS. If the TLS certificates for the servers were signed by a non-default certificate authority (CA), you must have the CA’s signing certificates available to upload to PingOne. Learn more in Importing an LDAP certificate to PingOne.
-
A method for correlating a directory user with a PingOne user, including the base DN for issuing searches against the directory and the attribute that corresponds to the PingOne
username
attribute.
Docker
You can run the gateway in a Docker container or as a standalone Java or Windows application. If you plan to run the gateway in a Docker container, you must have Docker installed on the computer that will run the gateway.
System requirements
The computer, virtual machine, or Docker environment that will run the gateway should have the following resources dedicated to the gateway:
Resource | Requirement |
---|---|
Processor |
Two CPUs or virtual CPUs |
RAM |
1 GB |
Storage |
1 GB |
Java
Verify the Java version on the computer that will run the gateway. Ensure that you have one of the following versions:
-
17.0.8 or later
-
21 LTS or later
Gateway access
The gateway requires access to the LDAP directory server over the network as well as the ability to initiate outbound requests over the internet to establish a WebSocket Secure connection to PingOne.
The WebSocket Secure address varies depending on your region. Ensure that the gateway can access the WebSocket Secure address for your region, as listed in the following table.
If provisioning will be used, the gateway must be able to establish an outbound connection to the API endpoints for your region, as listed in the following table. Learn more in Creating an LDAP gateway provisioning connection.
Region | Address | API Endpoints |
---|---|---|
North America (US) |
wss://gateways.pingone.com/ wss://gateways-us-east-2.pingone.com/ wss://gateways-us-west-2.pingone.com/ |
auth.pingone.com api.pingone.com |
North America (Canada) |
wss://gateways.pingone.ca/ wss://gateways-ca-central-1a.pingone.ca/ wss://gateways-ca-central-1b.pingone.ca/ |
auth.pingone.ca api.pingone.ca |
Europe |
wss://gateways.pingone.eu/ wss://gateways-eu-central-1.pingone.eu/ wss://gateways-eu-west-1.pingone.eu/ |
auth.pingone.eu api.pingone.eu |
Australia |
wss://gateways.pingone.com.au/ wss://gateways-ap-southeast-2.pingone.com.au/ |
auth.pingone.com.au api.pingone.com.au |
Asia Pacific |
wss://gateways.pingone.asia/ wss://gateways-ap-southeast-2.pingone.asia/ |
auth.pingone.asia auth.pingone.asia |
PingOne user privileges
The administrator setting up the gateway must have the Environment admin role. To confirm, open the PingOne console, locate the administrator identity, and confirm its roles.
Forward web proxy server
You can configure the client application to use a forward web proxy server to handle WebSocket traffic between the gateway client and PingOne. You’ll need to provide:
-
The IP address and the port of the web proxy
-
Access credentials if the web proxy requires authentication. An LDAP gateway client version of 3.3.0 or higher is required.
|
Learn more about configuring a web proxy in Starting a gateway instance.
Kerberos
If you are using Kerberos for authentication with Active Directory, you’ll need:
-
Service Account User Principal Name
-
Service Account Password
-
Service Principal Name
Learn more about configuring service principal names in Creating SPNs.
The Service Account must be configured with AES 128 bit or 256 bit encryption. To configure encryption in Kerberos:
-
Start Active Directory Users and Computers.
-
View the properties of the Service Account that you created for the gateway.
-
Click the Account tab.
-
In the Account Options section, select one or both of the following:
-
Kerberos AES 128 bit encryption
-
Kerberos AES 256 bit encryption
-
Learn more in Kerberos authentication.