The Source Settings screen shows the default configuration of the datastore selected on the Source screen, including settings used by the PingFederate provisioner to determine when user information is added, changed, or removed.
See the following table for more information about each field.
Field | Description |
---|---|
Entry GUID Attribute | The name of the attribute in the datastore representing the user's Globally Unique Identifier. |
GUID Type | Indicates whether the GUID is stored in binary or text format. Active Directory is always binary. Other LDAP stores most often use text. |
Member of Group Attribute | A multivalued user attribute containing the DNs of the groups to which an entry belongs. This attribute does not apply to some LDAP servers, including Oracle Unified Directory and Oracle Directory Server. The attribute below is used instead. PingDirectory and Microsoft Active Directory use both values to provide a two-way mapping between User and Group objects. |
Group Member Attribute | The name of a multivalued group attribute used to track membership in the group using either DN or GUID values. |
User objectClass | The LDAP object class to which user entries belong, used to restrict search results to user entries only. |
Group objectClass | The LDAP object class to which group entries belong, used to restrict search results to group entries only. |
Changed Users/Groups Algorithm | The method by which PingFederate determines if user records have been
updated or new records added, thus requiring provisioning updates at the
target site. The three choices are: Active Directory USN – For Active Directory only, this algorithm queries for update sequence numbers on user records that are larger than the last time records were checked. Timestamp – Queries for timestamps on user records that are not older than the last time records were checked. This check is more efficient from the point of view of the PingFederate provisioner but can be more time consuming on the LDAP side, particularly with Oracle Unified Directory and Oracle Directory Server. Timestamp No Negation – Queries for timestamps on user records that are newer than the last time records were checked. This algorithm is recommended for Oracle Unified Directory and Oracle Directory Server. |
USN Attribute | The name of the attribute used to store the update sequence number—applicable when the Active Directory algorithm is chosen above. |
Timestamp Attribute | The name of the attribute used to store the timestamp on user records. |
Account Status Attribute | The name of the attribute in which the user's account status (active or
inactive) is stored. For example, Active Directory =
userAccountControl and Oracle Directory Server =
nsaccountlock . |
Account Status Algorithm | The method by which PingFederate determines a user's account status. The
values are: Active Directory Bitmap – For Active
Directory, which uses a bitmap for each user entry. For more information
about Flag– For Oracle Unified Directory, Oracle Directory Server, and other LDAP directories that use a separate attribute to store the user's status. When this option is selected, the Flag Comparison Value and Flag Comparison Status fields below are also used. |
Default Status | Indicates the user's status if the attribute is missing. |
Flag Comparison Value | Indicates the value for the attribute (for example,
nsaccountlock ) that PingFederate expects to be returned.
The value is case-sensitive. Used when the Account Status Algorithm is set to Flag. |
Flag Comparison Status | Indicates whether the user is enabled or disabled when the flag has the
value specified in the Flag Comparison Value field. Setting the value to
true equals enabled while setting the value to false equals disabled. For
example, if the Account Status Attribute is set to
Used when the Account Status Algorithm is set to Flag. |
If you are using PingDirectory, Microsoft Active Directory, Oracle Unified Directory, or Oracle Directory Server, in most cases no changes are needed on this screen unless your datastore uses a customized schema.
If you are using a different LDAP directory, you must supply the required information on this screen unless you have defined a template for the datastore. (For more information, see the sample.template.txt in the <pf_install>/pingfederate/server/default/conf/template/ldap-templates directory.)
- Modify the settings, as needed.
- Click Next.