Set up the service account to manage permissions for the client:

  1. Set the service account as the bind DN in the LDAP gateway.

    Service Account should be in a separate OU from the target users (Employees in this example).

    A screen capture of the Service Account in Active Directory.
  2. Grant Read permissions for each Search Base DN in the gateway’s user types.
  3. For inbound provisioning through the LDAP gateway, ensure that the service account can read deleted entries (cn=Deleted Objects) to keep PingOne in sync when objects are deleted in AD: