The LDAP external server configuration element defines the connection, location, and health check information necessary for the Directory Proxy Server to communicate with the server properly.
PingDirectoryProxy Server includes a tool, prepare-external-server, for configuring communication between the Directory Proxy Server and the LDAP backend server. After you add a new LDAP external server to an existing installation, we strongly recommend that you run this tool to automatically create the user account necessary for communications. The prepare-external-server tool does not make configuration changes to the local Directory Proxy Server, only the external server is modified. When you run this tool, you must supply the user account and password that you specified for the Directory Proxy Server during configuration, cn=Proxy User by default.
cn=Directory Manageras the account to use for communication between the Directory Proxy Server and the Directory Server. For security reasons, the account used to communicate between the Directory Proxy Server and the Directory Server should not be directly accessible by clients accessing the Directory Proxy Server. The account that you choose should meet the following criteria:
For all server types, it should not exist in the Directory Proxy Server but only in the backend directory server instances.
For Ping Identity Directory Server, this user should be a root user.
For Ping Identity Directory Server, this user should not automatically inherit the default set of root privileges, but instead should have exactly the following set of privileges:
proxied-auth, and stream-values.
For Sun Directory Servers, the account should be created below the cn=Root DNs,cn=config entry and the
nsIdleTimeoutvalues for the account should be set to -1. You also need to create access control rules to grant the user account appropriate permissions within the server. The prepare-external-server tool handles all of this work automatically.