--- title: LDAP gateway and user type scenarios description: Solve various LDAP gateway and user type scenarios in PingOne. component: pingone page_id: pingone:integrations:p1_ldap_gateway_user_scenarios_solutions canonical_url: https://docs.pingidentity.com/pingone/integrations/p1_ldap_gateway_user_scenarios_solutions.html revdate: October 6, 2025 section_ids: an-ldap-gateway-is-disabled: An LDAP gateway is disabled an-ldap-gateway-client-is-stopped: An LDAP gateway client is stopped a-user-type-is-deleted: A user type is deleted an-ldap-gateway-is-deleted: An LDAP gateway is deleted an-ldap-gateway-is-shutdown-or-terminated: An LDAP gateway is shutdown or terminated --- # LDAP gateway and user type scenarios Use the information in this section to solve various Lightweight Directory Access Protocol (LDAP) *(tooltip: \
\

An open, cross platform protocol used for interacting with directory services.\

\
)* gateway and user type scenarios. ## An LDAP gateway is disabled Re-enable the LDAP gateway. ## An LDAP gateway client is stopped Start or restart the LDAP gateway client. ## A user type is deleted 1. In the PingOne admin console, go to **Integrations > Gateways**. 2. Click the appropriate gateway and [add a new user type](p1_add_a_user_type.html): | | | | - | ------------------------------------------------------------------------- | | | The settings for the new user type should match those of the deleted one. | 1. If the settings related to the underlying directory server have changed, adjust the settings of the new user type accordingly. 2. Get the ID of the existing LDAP gateway and the ID of the new user type. 3. Edit the sign-on policy you [created](p1_create_auth_policy_using_the_gateway.html) to use the new user type. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you use DaVinci to manage end-user authentication, update the **Authenticate User via Kerberos** and **Migrate User through Gateway** capabilities from the PingOne Authentication connector to use the new user type. | 4. Use the [API](https://developer.pingidentity.com/pingone-api/platform/users/users-1/read-one-user.html) or the [PingOne admin console](../directory/p1_viewusers.html) to get the `correlationAttributes` attribute value for each user whose PingOne user record is pointing to the deleted user type. Sample `correlationAttributes` attribute and its value: ```json "correlationAttributes": { "objectGUID": "c338caf3-6964-4d8b-b226-838a4b235cfe", "objectSid": "S-1-5-21-729906757-3091572434-2958842742-1114", "dn": "CN=Bob Newman,OU=NW,OU=People,DC=imokatdi,DC=ping-eng,DC=com", "sAMAccountName": "bnewman" } ``` 5. Use the [PUT Update Password](https://developer.pingidentity.com/pingone-api/platform/users/user-passwords/update-password-external.html) to update each applicable PingOne user record to point to the new user type. Sample API request using `curl`: ``` curl --location --request PUT '{{apiPath}}/environments/{{envID}}/users/{{userID}}/password' \ --header 'Authorization: Bearer {{accessToken}}' \ --header 'Content-Type: application/vnd.pingidentity.password.setGateway+json' \ --data-raw '{ "id": "{{existingGatewayID}}", "userType": { "id": "{{newUserTypeID}}" }, "correlationAttributes": { "objectGUID": "c338caf3-6964-4d8b-b226-838a4b235cfe", "objectSid": "S-1-5-21-729906757-3091572434-2958842742-1114", "dn": "CN=Bob Newman,OU=NW,OU=People,DC=imokatdi,DC=ping-eng,DC=com", "sAMAccountName": "bnewman" } }' ``` ## An LDAP gateway is deleted 1. In the PingOne admin console, go to **Integrations > Gateways**. 2. [Add a new LDAP gateway](p1_add_ldap_gateway.html) and a [new user type](p1_add_a_user_type.html). | | | | - | ------------------------------------------------------------------------------------------ | | | The settings in the new LDAP gateway and user type should match those of the deleted ones. | 1. If the settings related to the underlying directory server have changed, adjust the settings of the new user type accordingly. 2. Get the ID of the new LDAP gateway and the ID of the new user type. 3. [Create a sign-on policy](p1_create_auth_policy_using_the_gateway.html) to use the new user type. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you use DaVinci to manage end-user authentication, update the **Authenticate User via Kerberos** and **Migrate User through Gateway** capabilities from the PingOne Authentication connector to use the new user type.If you use the LDAP connector, update it to use the new user type as well. | 4. Use the [API](https://developer.pingidentity.com/pingone-api/platform/users/users-1/read-one-user.html) or the [PingOne admin console](../directory/p1_viewusers.html) to get the `correlationAttributes` attribute value for each user whose PingOne user record is pointing to the deleted user type. Sample `correlationAttributes` attribute and its value: ```json "correlationAttributes": { "objectGUID": "c338caf3-6964-4d8b-b226-838a4b235cfe", "objectSid": "S-1-5-21-729906757-3091572434-2958842742-1114", "dn": "CN=Bob Newman,OU=NW,OU=People,DC=imokatdi,DC=ping-eng,DC=com", "sAMAccountName": "bnewman" } ``` 5. Use the [PUT Update Password](https://developer.pingidentity.com/pingone-api/platform/users/user-passwords/update-password-external.html) to update each applicable PingOne user record to point to the new user type. Sample API request using `curl`: ``` curl --location --request PUT '{{apiPath}}/environments/{{envID}}/users/{{userID}}/password' \ --header 'Authorization: Bearer {{accessToken}}' \ --header 'Content-Type: application/vnd.pingidentity.password.setGateway+json' \ --data-raw '{ "id": "{{newGatewayID}}", "userType": { "id": "{{newUserTypeID}}" }, "correlationAttributes": { "objectGUID": "c338caf3-6964-4d8b-b226-838a4b235cfe", "objectSid": "S-1-5-21-729906757-3091572434-2958842742-1114", "dn": "CN=Bob Newman,OU=NW,OU=People,DC=imokatdi,DC=ping-eng,DC=com", "sAMAccountName": "bnewman" } }' ``` ## An LDAP gateway is shutdown or terminated When an LDAP gateway client application is shutdown or forcibly terminated due to an error or sudden machine failure, PingOne attempts to complete the processing of current traffic. However, because of network latency, a few final requests might arrive after the shutdown process begins and could initially fail. PingOne responds by: * Automatically retrying failed in-transit requests on a different, active LDAP gateway instance. This process is called a graceful shutdown. * Routing subsequent traffic to active nodes without user intervention. * Directing new incoming requests to the remaining active LDAP gateway instances. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | A user's authentication won't fail. Users might experience a delay of a couple of seconds as traffic is rerouted, but don't need to manually retry the operation. |