PingOne

LDAP gateway and user type scenarios

Use the information in this section to solve various Lightweight Directory Access Protocol (LDAP) gateway and user type scenarios.

An LDAP gateway is disabled

Re-enable the LDAP gateway.

An LDAP gateway client is stopped

Start or restart the LDAP gateway client.

A user type is deleted

  1. In the PingOne admin console, go to Integrations > Gateways.

  2. Click the appropriate gateway and add a new user type:

    The settings for the new user type should match those of the deleted one.

    1. If the settings related to the underlying directory server have changed, adjust the settings of the new user type accordingly.

    2. Get the ID of the existing LDAP gateway and the ID of the new user type.

  3. Edit the sign-on policy you created to use the new user type.

    If you use DaVinci to manage end-user authentication, update the Authenticate User via Kerberos and Migrate User through Gateway capabilities from the PingOne Authentication connector to use the new user type.

  4. Use the API or the PingOne admin console to get the correlationAttributes attribute value for each user whose PingOne user record is pointing to the deleted user type.

    Sample correlationAttributes attribute and its value:

    "correlationAttributes": {
  "objectGUID": "c338caf3-6964-4d8b-b226-838a4b235cfe",
  "objectSid": "S-1-5-21-729906757-3091572434-2958842742-1114",
  "dn": "CN=Bob Newman,OU=NW,OU=People,DC=imokatdi,DC=ping-eng,DC=com",
  "sAMAccountName": "bnewman"
}

  5. Use the PUT Update Password to update each applicable PingOne user record to point to the new user type.

    Sample API request using curl:

    curl --location --request PUT '{{apiPath}}/environments/{{envID}}/users/{{userID}}/password' \
--header 'Authorization: Bearer {{accessToken}}' \
--header 'Content-Type: application/vnd.pingidentity.password.setGateway+json' \
--data-raw '{
   "id": "{{existingGatewayID}}",
   "userType": {
     "id": "{{newUserTypeID}}"
   },
   "correlationAttributes": {
       "objectGUID": "c338caf3-6964-4d8b-b226-838a4b235cfe",
       "objectSid": "S-1-5-21-729906757-3091572434-2958842742-1114",
       "dn": "CN=Bob Newman,OU=NW,OU=People,DC=imokatdi,DC=ping-eng,DC=com",
       "sAMAccountName": "bnewman"
   }
}'

An LDAP gateway is deleted

  1. In the PingOne admin console, go to Integrations > Gateways.

  2. Add a new LDAP gateway and a new user type.

    The settings in the new LDAP gateway and user type should match those of the deleted ones.

    1. If the settings related to the underlying directory server have changed, adjust the settings of the new user type accordingly.

    2. Get the ID of the new LDAP gateway and the ID of the new user type.

  3. Create a sign-on policy to use the new user type.

    If you use DaVinci to manage end-user authentication, update the Authenticate User via Kerberos and Migrate User through Gateway capabilities from the PingOne Authentication connector to use the new user type.

    If you use the LDAP connector, update it to use the new user type as well.

  4. Use the API or the PingOne admin console to get the correlationAttributes attribute value for each user whose PingOne user record is pointing to the deleted user type.

    Sample correlationAttributes attribute and its value:

    "correlationAttributes": {
  "objectGUID": "c338caf3-6964-4d8b-b226-838a4b235cfe",
  "objectSid": "S-1-5-21-729906757-3091572434-2958842742-1114",
  "dn": "CN=Bob Newman,OU=NW,OU=People,DC=imokatdi,DC=ping-eng,DC=com",
  "sAMAccountName": "bnewman"
}

  5. Use the PUT Update Password to update each applicable PingOne user record to point to the new user type.

    Sample API request using curl:

    curl --location --request PUT '{{apiPath}}/environments/{{envID}}/users/{{userID}}/password' \
--header 'Authorization: Bearer {{accessToken}}' \
--header 'Content-Type: application/vnd.pingidentity.password.setGateway+json' \
--data-raw '{
    "id": "{{newGatewayID}}",
    "userType": {
        "id": "{{newUserTypeID}}"
    },
    "correlationAttributes": {
        "objectGUID": "c338caf3-6964-4d8b-b226-838a4b235cfe",
        "objectSid": "S-1-5-21-729906757-3091572434-2958842742-1114",
        "dn": "CN=Bob Newman,OU=NW,OU=People,DC=imokatdi,DC=ping-eng,DC=com",
        "sAMAccountName": "bnewman"
    }
}'

An LDAP gateway is shutdown or terminated

When an LDAP gateway client application is shutdown or forcibly terminated due to an error or sudden machine failure, PingOne attempts to complete the processing of current traffic. However, because of network latency, a few final requests might arrive after the shutdown process begins and could initially fail.

PingOne responds by:

  • Automatically retrying failed in-transit requests on a different, active LDAP gateway instance. This process is called a graceful shutdown.

  • Routing subsequent traffic to active nodes without user intervention.

  • Directing new incoming requests to the remaining active LDAP gateway instances.

A user’s authentication won’t fail. Users might experience a delay of a couple of seconds as traffic is rerouted, but don’t need to manually retry the operation.