The LDAP external server configuration element defines the connection, location, and health check information necessary for the PingDirectoryProxy server to communicate with the server properly.
PingDirectoryProxy includes a tool, prepare-external-server, for configuring communication between the PingDirectoryProxy server and the LDAP backend server. After you add a new LDAP external server to an existing installation, we strongly recommend that you run this tool to automatically create the user account necessary for communications. The prepare-external-server tool does not make configuration changes to the local PingDirectoryProxy server, only the external server is modified. When you run this tool, you must supply the user account and password that you specified for the PingDirectoryProxy server during configuration, cn=Proxy User by default.
cn=Directory Manageras the account to use for communication between the PingDirectoryProxy server and the PingDirectory server. For security reasons, the account used to communicate between the PingDirectoryProxy server and the PingDirectory server should not be directly accessible by clients accessing the PingDirectoryProxy server. The account that you choose should meet the following criteria:
For all server types, it should not exist in the PingDirectoryProxy server but only in the backend directory server instances.
For the PingDirectory server, this user should be a root user.
For the PingDirectory server, this user should not automatically inherit the default set of root privileges, but instead should have exactly the following set of privileges:
proxied-auth, and stream-values.
For Sun Directory Servers, the account should be created below the cn=Root DNs,cn=config entry and the
nsIdleTimeoutvalues for the account should be set to -1. You also need to create access control rules to grant the user account appropriate permissions within the server. The prepare-external-server tool handles all of this work automatically.