Provisioning OpenLDAP with PingOne

OpenLDAP is an open-source implementation of LDAP. It’s a specialized database optimized for reading and searching rather than writing. You can use an LDAPv3-compliant directory connection in PingOne to provision users to your OpenLDAP account.

Provisioning capabilities

Resource Capability Description Inbound Outbound

Resource	Capability	Description	Inbound	Outbound
User	Create	Generates a new user record in the destination.	Yes	Yes
Read	Retrieves or polls user attributes for synchronization.	Yes	Yes
Update	Modifies existing attributes such as `department`.	Yes	Yes
Delete	Deletes a user, or temporarily suspends an account.	Yes	Yes
Group	Create	Provisions a new group in the target application.	Yes	No
Rename	Updates the display name or identifier of an existing group.	Yes	No
Delete	Removes a group from the target application.	Yes	No
Membership	Add and remove	Handles additions and removals of users within groups.	Yes	No

User

Create

Generates a new user record in the destination.

Yes

Read

Retrieves or polls user attributes for synchronization.

Yes

Update

Modifies existing attributes such as department.

Yes

Delete

Deletes a user, or temporarily suspends an account.

Yes

Group

Create

Provisions a new group in the target application.

Yes

Rename

Updates the display name or identifier of an existing group.

Yes

Delete

Removes a group from the target application.

Yes

Membership

Add and remove

Handles additions and removals of users within groups.

Yes

Best practices

Do the following when configuring OpenLDAP:

Add Access Log Overlay to allow all activity on a given database to be reviewed using LDAP queries.

You should have a higher value for olcSizeLimit and olcDbMaxSize attributes to prevent losing changelog entries.
Add MDB Backend to serve as the high-performance, memory-mapped primary storage engine for OpenLDAP.
Add MemberOf to see all the groups a user belongs to by looking at the user record itself.
Add Referential Integrity to help automatically maintain relationships among entities, such as between users and groups.

Provisioning OpenLDAP

Configure OpenLDAP provisioning to synchronize users and groups between your LDAP directory and PingOne.

Before you begin

Make sure that you have:

An OpenLDAP administrator account. Learn more in the OpenLDAP documentation.
Users created and assigned to a group specifically for OpenLDAP provisioning in PingOne. Learn more in Adding a user and Managing groups.

Steps

In the PingOne admin console, add an LDAP gateway and enter the following configurations that apply to your OpenLDAP account:
- LDAP Directory Type: Select LDAPv3-compliant Directory Server.
- LDAP Host Name: Enter the IP address or host name for the external directory server.
- Port: Enter 389.
- Connection Security: Select StartTLS and click Allow TLS connections with untrusted certificates.
- Default Bind DN: For inbound, the bind DN value is configured in the directory, for example cn=accesslog. For outbound, the bind DN value is configured in the directory users and groups will sync through, for example cn=admin,dc=pingidentity,dc=org.
- Bind Password: Enter the password for the selected bind DN.
Create an LDAP provisioning connection for OpenLDAP and select the OpenLDAP gateway you created.

Create an inbound rule for a connection through an LDAP gateway or outbound rule for a connection through an LDAP gateway and select the existing OpenLDAP connection as the target or source. This is also when you can add a user filter and attribute mapping.

The relative distinguished name (RDN), uid or cn used for synchronization must be unique across the entire distinguished name (DN). Users or groups with duplicate RDNs won’t be provisioned.

Confirm users and groups are successfully provisioned to OpenLDAP. View the sync status to review synchronization results and any errors. You can find examples in Outbound provisioning sync summary examples.

LDAPv3 directory attributes

The following table lists common LDAPv3 attributes that can be mapped for user provisioning.

Attribute Description

Attribute	Description
`uid` (required)	The user name for the user account. Typically mapped to `Username`.
`sn`	The last name (surname) of the user. Typically mapped to `Family Name`.
`cn`	The common name for the user account. Typically mapped to `Username`.
`Given Name`	The first name of the user.
`Mail`	The email address for the user.
`Mobile Phone`	The mobile telephone number for the user.
`Telephone Number`	The telephone number for the user.
`Title`	The user’s title, such as Manager or CEO.
`Active`	The status of the user account.
`Password`	The password for the user.
`Street Address`	The physical address for the user.
`Postal Code`	The ZIP code or postal code for the user.
`l`	The user’s default location for purposes of localizing things such as currency, date and time format, or numerical representations.
`st`	The region for the user.
`Preferred Language`	The primary language for the user.

uid (required)

The user name for the user account. Typically mapped to Username.

sn

The last name (surname) of the user. Typically mapped to Family Name.

cn

The common name for the user account. Typically mapped to Username.

Given Name

The first name of the user.

Mail

The email address for the user.

Mobile Phone

The mobile telephone number for the user.

Telephone Number

The telephone number for the user.

Title

The user’s title, such as Manager or CEO.

Active

The status of the user account.

Password

The password for the user.

Street Address

The physical address for the user.

Postal Code

The ZIP code or postal code for the user.

l

The user’s default location for purposes of localizing things such as currency, date and time format, or numerical representations.

st

The region for the user.

Preferred Language

The primary language for the user.

Default attribute mapping for LDAP inbound provisioning

LDAPv3 default user attributes

The following table lists the default attributes for LDAPv3 that can be mapped to PingOne user attributes for user provisioning.

Attribute Description

Attribute	Description
`uid`	The user’s username.
`Given Name`	The user’s first (given) name.
`sn`	The user’s last name (surname).
`Mail`	The user’s email address.
`Active`	The status of the user account in PingDirectory.

uid

The user’s username.

Given Name

The user’s first (given) name.

sn

The user’s last name (surname).

Mail

The user’s email address.

Active

The status of the user account in PingDirectory.

LDAPv3 default group attributes

The following table lists the default attributes for LDAPv3 that can be mapped to PingOne user attributes for user provisioning.

Attribute Description

Attribute	Description
`entryUUID`	The group ID.
`cn`	Group name.
`dn`	Group display name.

entryUUID

The group ID.

cn

Group name.

dn

Group display name.

OpenLDAP LDAPv3-compliant directory type limitations

The following limitations and requirements apply to OpenLDAP.

Currently, the posixGroup object class, which is specific to UNIX and Linux identities, isn’t supported.
The memberOf attribute is system-generated and doesn’t update during real-time sync. It’s only updated during a full sync.
You should avoid manually creating system generated or operational attributes, as this can cause data inconsistencies.