Before you start setting up an LDAP gateway, ensure that you have the following information.
Details about the directory
You’ll need the following information about the LDAP directory:
- Host name and port for all server instances.
- A service account from the directory server that the PingOne gateway will use to
access the directory (
bind DN
andbind password
). The service account must be able to search for users in the directory by username. - TLS-related security options, specifically, whether the directory instances support TLS and StartTLS. If the TLS certificates for the servers were signed by a non-default certificate authority, then you must have the CA's signing certificates available to upload to PingOne.
- A method for correlating a directory user with a PingOne user, including the base
DN
for issuing searches against the directory and the attribute that corresponds to
the PingOne
username
attribute.
Docker
You can run the gateway in a Docker container or as a standalone Java application. If you plan to run the gateway in a Docker container, ensure that you have Docker installed on the computer that will run the gateway.
System requirements
The computer, virtual machine, or Docker environment that will run the gateway should have the following resources dedicated to the gateway.
Resource | Requirement |
---|---|
Processor |
2 CPUs or virtual CPUs |
RAM |
1 GB |
Storage |
1 GB |
Gateway access
The gateway requires access to the LDAP directory server over the network as well as the ability to initiate outbound requests over the internet to establish a WebSocket Secure connection to PingOne.
The WebSocket Secure address varies depending on your region. Ensure that the gateway can access the WebSocket Secure address for your region.
Region | Address |
---|---|
North America - US |
wss://gateways.pingone.com/ |
North America - Canada |
wss://gateways.pingone.ca/ |
Europe |
wss://gateways.pingone.eu/ |
Asia Pacific |
wss://gateways.pingone.asia/ |
PingOne user privileges
The administrator setting up the gateway should have the Environment admin role. To confirm, open the PingOne console, locate the administrator identity, and confirm its roles.
Kerberos
If you are using Kerberos for authentication with Active Directory, you’ll need:
- Service Account User Principal Name
- Service Account Password
- Service Principal Name
For more information, see Creating SPNs.
The Service Account must be configured with AES 128 bit or 256 bit encryption. To configure encryption in Kerberos, do the following:
- Start Active Directory Users and Computers.
- View the properties of the Service Account you created for the gateway.
- Click the Account tab.
- Under the Account Options section, select one or both of
the following:
- Kerberos AES 128 bit encryption
- Kerberos AES 256 bit encryption
For more information, see Kerberos authentication.