--- title: Provisioning OpenLDAP with PingOne description: Provision OpenLDAP in PingOne. component: pingone page_id: pingone:integrations:p1_provisioning_connection_openldap canonical_url: https://docs.pingidentity.com/pingone/integrations/p1_provisioning_connection_openldap.html revdate: February 10, 2026 section_ids: provisioning-capabilities: Provisioning capabilities best-practices: Best practices provisioning-openldap: Provisioning OpenLDAP before-you-begin: Before you begin steps: Steps ldapv3-directory-attributes: LDAPv3 directory attributes default-attribute-mapping-for-ldap-inbound-provisioning: Default attribute mapping for LDAP inbound provisioning ldapv3-default-user-attributes: LDAPv3 default user attributes ldapv3-default-group-attributes: LDAPv3 default group attributes openldap-ldapv3-compliant-directory-type-limitations: OpenLDAP LDAPv3-compliant directory type limitations --- # Provisioning OpenLDAP with PingOne OpenLDAP is an open-source implementation of LDAP. It's a specialized database optimized for reading and searching rather than writing. You can use an LDAPv3-compliant directory connection in PingOne to provision users to your OpenLDAP account. ## Provisioning capabilities | Resource | Capability | Description | Inbound | Outbound | | ---------- | -------------- | ------------------------------------------------------------ | ------- | -------- | | User | Create | Generates a new user record in the destination. | Yes | Yes | | | Read | Retrieves or polls user attributes for synchronization. | Yes | Yes | | | Update | Modifies existing attributes such as `department`. | Yes | Yes | | | Delete | Deletes a user, or temporarily suspends an account. | Yes | Yes | | Group | Create | Provisions a new group in the target application. | Yes | No | | | Rename | Updates the display name or identifier of an existing group. | Yes | No | | | Delete | Removes a group from the target application. | Yes | No | | Membership | Add and remove | Handles additions and removals of users within groups. | Yes | No | ## Best practices Do the following when configuring OpenLDAP: * Add **Access Log Overlay** to allow all activity on a given database to be reviewed using LDAP queries. | | | | - | -------------------------------------------------------------------------------------------------------------------- | | | You should have a higher value for `olcSizeLimit` and `olcDbMaxSize` attributes to prevent losing changelog entries. | * Add **MDB Backend** to serve as the high-performance, memory-mapped primary storage engine for OpenLDAP. * Add **MemberOf** to see all the groups a user belongs to by looking at the user record itself. * Add **Referential Integrity** to help automatically maintain relationships among entities, such as between users and groups. ## Provisioning OpenLDAP Configure OpenLDAP provisioning to synchronize users and groups between your LDAP directory and PingOne. ### Before you begin Make sure that you have: * An OpenLDAP administrator account. Learn more in the [OpenLDAP documentation](https://www.openldap.org/doc). * Users created and assigned to a group specifically for OpenLDAP provisioning in PingOne. Learn more in [Adding a user](../directory/p1_adduser.html) and [Managing groups](../directory/p1_managing_groups.html). ### Steps 1. In the PingOne admin console, [add an LDAP gateway](p1_add_ldap_gateway.html) and enter the following configurations that apply to your OpenLDAP account: * **LDAP Directory Type**: Select **LDAPv3-compliant Directory Server**. * **LDAP Host Name**: Enter the IP address or host name for the external directory server. * **Port**: Enter `389`. * **Connection Security**: Select **StartTLS** and click **Allow TLS connections with untrusted certificates**. * **Default Bind DN**: For inbound, the bind DN value is configured in the directory, for example **cn=accesslog**. For outbound, the bind DN value is configured in the directory users and groups will sync through, for example **cn=admin,dc=pingidentity,dc=org**. * **Bind Password**: Enter the password for the selected bind DN. 2. Create an [LDAP provisioning connection for OpenLDAP](p1_create_provisioning_connection_gateway.html) and select the OpenLDAP gateway you created. 3. [Create an inbound rule for a connection through an LDAP gateway](p1_create_inbound_provisioning_rule_gateway.html) or [outbound rule for a connection through an LDAP gateway](p1_create_outbound_provisioning_rule_gateway.html) and select the existing OpenLDAP connection as the target or source. This is also when you can add a user filter and attribute mapping. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The relative distinguished name (RDN), `uid` or `cn` used for synchronization must be unique across the entire distinguished name (DN). Users or groups with duplicate RDNs won't be provisioned. | 4. Confirm users and groups are successfully provisioned to OpenLDAP. [View the sync status](p1_view_sync_status.html) to review synchronization results and any errors. You can find examples in [Outbound provisioning sync summary examples](p1_outbound_group_provisioning_sync_summary_examples.html). ## LDAPv3 directory attributes The following table lists common LDAPv3 attributes that can be mapped for user provisioning. | Attribute | Description | | -------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | | `uid` (required) | The user name for the user account. Typically mapped to `Username`. | | `sn` | The last name (surname) of the user. Typically mapped to `Family Name`. | | `cn` | The common name for the user account. Typically mapped to `Username`. | | `Given Name` | The first name of the user. | | `Mail` | The email address for the user. | | `Mobile Phone` | The mobile telephone number for the user. | | `Telephone Number` | The telephone number for the user. | | `Title` | The user's title, such as Manager or CEO. | | `Active` | The status of the user account. | | `Password` | The password for the user. | | `Street Address` | The physical address for the user. | | `Postal Code` | The ZIP code or postal code for the user. | | `l` | The user's default location for purposes of localizing things such as currency, date and time format, or numerical representations. | | `st` | The region for the user. | | `Preferred Language` | The primary language for the user. | ## Default attribute mapping for LDAP inbound provisioning ### LDAPv3 default user attributes The following table lists the default attributes for LDAPv3 that can be mapped to PingOne user attributes for user provisioning. | Attribute | Description | | ------------ | ------------------------------------------------ | | `uid` | The user's username. | | `Given Name` | The user's first (given) name. | | `sn` | The user's last name (surname). | | `Mail` | The user's email address. | | `Active` | The status of the user account in PingDirectory. | ### LDAPv3 default group attributes The following table lists the default attributes for LDAPv3 that can be mapped to PingOne user attributes for user provisioning. | Attribute | Description | | ----------- | ------------------- | | `entryUUID` | The group ID. | | `cn` | Group name. | | `dn` | Group display name. | ## OpenLDAP LDAPv3-compliant directory type limitations The following limitations and requirements apply to OpenLDAP. * Currently, the `posixGroup` object class, which is specific to UNIX and Linux identities, isn't supported. * The `memberOf` attribute is system-generated and doesn't update during real-time sync. It's only updated during a full sync. * You should avoid manually creating system generated or operational attributes, as this can cause data inconsistencies.