On the Data Store screen's LDAP Configuration tab, provide the required information to establish an LDAP connection to your directory server.

  1. On the LDAP Configuration tab, configure your LDAP connection.
    For more information, refer to the following table.
    Field Description
    Data Store Name The name of the datastore.

    Applicable only when editing an existing datastore.

    Hostname(s)

    (Required)

    The network address of the directory server. It can be an IP address, a host name, or a fully qualified domain name. The entry may include a port number; for example, 10.10.10.101:1389. For failover, you can enter multiple directory servers, each separated by a space. In addition to network error conditions, PingFederate also fails over to the next server if the current server returns an LDAP system error.
    Note:

    If multiple directory servers are specified, each server must be accessible by using the same user DN and password (unless the Bind Anonymously check box is selected).

    You can add multiple hostnames. You can also specify which node is the default by clicking Set as Default under Action.

    PingFederate can also leverage DNS service records to locate the directory server (when the Use DNS SRV Record check box is selected), in which case the value of this field must be a single domain; for example, example.com.

    Tags Tags are defined in the node.tags property in the <pf_install>/pingfederate/bin/run.properties file. See Deploying cluster servers for a description of the node.tags property.

    In PingFederate deployments that are regional, you can enter one or more tags for a hostname, which will specify which datastore that particular PingFederate node should communicate with. If none of the tags match what is defined for the node.tags property, the default node is used.

    The following rules apply to tags:

    • Multiple tags specified for one node must be separated with spaces.
    • No tag can be used more than once per datastore.
    • Tags are optional. If needed, you can configure a non-default node without tags. Doing this can be useful if you are not yet ready to tag the node, or if you are still in the planning stage but want to enter the address for the node now.
    Use LDAPS When selected, PingFederate connects to the directory server using LDAPS. This selection applies equally to all servers specified in the Hostname(s) field.
    Important:

    We recommend that all LDAP connections be secured by using LDAPS.

    Note:

    If you want to enable the password changes, password reset, or account unlock features in the HTML Form Adapter against Microsoft Active Directory, you must secure the connection to your directory server using LDAPS. Microsoft Active Directory requires this level of security to allow password changes.

    This check box is not selected by default.

    Use DNS SRV Record Used in conjunction with the domain information defined in the Hostname(s) field and the preference of LDAP or LDAPS, PingFederate uses DNS SRV records to locate the directory server when this check box is selected. You may fine-tune the TTL value and the record prefixes on the Advanced LDAP Options screen.
    Note:

    When the DNS returns multiple SRV records, PingFederate uses the record with the lowest-numbered priority value and fails over to the record with the next lowest priority value. If multiple records share the same priority value, PingFederate uses the records with the highest-numbered weight value.

    PingFederate repeats this exercise until it establishes a connection or fails to connect to any directory server after taking all records into consideration.

    This check box is not selected by default.

    Follow LDAP Referrals Select this check box to let the datastore follow LDAP referrals on Microsoft Active Directory, Oracle Unified Directory, or Oracle Directory Server.
    Note:

    PingFederate always follows LDAP referrals from PingDirectory based on the recommended PingDirectory configuration.

    LDAP Type

    (Required)

    If you are using this datastore for outbound provisioning and your directory server is PingDirectory , Microsoft Active Directory, Oracle Unified Directory, or Oracle Directory Server, select the applicable type from the list, such that PingFederate can pre-populate many provisioning settings on the Outbound Provisioning > Channel > Source Settings screen.
    Tip:

    If your directory server is not one of the three aforementioned directory servers, you may define a custom LDAP Type to streamline the outbound provisioning configuration.

    The LDAP type is also used to enable password-change messaging between Microsoft Active Directory and PingFederate when an HTML Form Adapter instance is used.

    Bind Anonymously Select this check box if your directory server supports anonymous binding and if no credentials are needed to access the directory server. When selected, user DN and password are not required.
    Tip:

    For inbound provisioning, because PingFederate needs to manage local user records, your directory server likely requires a specific service account to handle the communication between PingFederate and the target directory server. If you choose an anonymous binding, ensure that this access level provides permission to search the directory for user-account information.

    This check box is not selected by default.

    User DN The username credential required to access the directory server.
    Important:

    The service account must have permission to search the directory for user-account information. If your use cases involve reading from the directory server without creating, updating, or deleting any records, consider using a service account with read-only access.

    For inbound provisioning, a service account with permission to create, read, update, and delete (if applicable) users (and groups if applicable) is required.

    When connecting to an Microsoft Active Directory server, enter an Microsoft Active Directory user account; do not use a computer account.

    When connecting to PingDirectory, Oracle Unified Directory, or Oracle Directory Server, configure proxied authorization for the service account on the directory server if you intend to enable self-service password reset in any HTML Form Adapter instances that use this datastore. For more information, see Configuring proxied authorization.

    Password The password credential required to access the directory server.
    Mask Values in Log Determines whether all attribute values returned through this datastore should be masked in PingFederate logs.

    Applicable only when editing an existing datastore.

  2. Click Test Connection to determine whether the administrative node can communicate with the specified datastore.
    Note:

    Datastore validation is no longer enabled during configuration. This feature lets you configure datastores without requiring a successful connection between the administrative node and the datastore. You can also save the datastore even if the connection is not currently successful.

  3. Optional: Click Advanced. If you choose an anonymous binding, configure additional settings on the Advanced LDAP Options screen.
  4. Click Save to keep your configuration.