This can be configured through the writability-mode property in the global configuration, or through the writability-mode property for each backend. In either case, the property offers the following values:

Indicates that writes are enabled.

Indicates that all write attempts are rejected, regardless of their origin.


Indicates that write attempts from external clients are rejected, but writes received from replication or initiated internally within the server (for example, as a result of password policy state processing).


The writability mode defined in the global configuration applies only to user data backends. It will not apply to private backends, like the server configuration or schema.

If the writability-mode values differ between the global configuration and the backend configuration, then the server uses whichever property is more restrictive. That is, if either one is set to disabled, then all write attempts in that backend are rejected. If one is enabled and the other is set to internal-only, then the internal-only mode is used for that backend.

If you want to configure a PingDirectory server instance to be a read-only replica, then you should use the internal-only writability mode so that replication changes are still accepted but writes from external clients are rejected. If you would prefer that the server generate a referral for external each write attempt rather than rejecting it outright, then you should create an instance of the “Referral on Update” plugin and specify the base referral URLs that the server should use.