PingDirectory

Synchronize with Active Directory and other directory servers

PingDataSync supports full synchronization for newly created or modified accounts with native password changes between directory server, relational databases, and Microsoft Active Directory (AD) systems.

Considerations

There are three key considerations when synchronizing between AD and PingDirectory:

The realtime-sync tool

The realtime-sync tool uses the AD DirSync control to detect changes on entries, which requires the control to be searched at the top of the directory information tree (DIT). Because of this, you must point your AD Sync Source to the top of the AD tree for realtime-sync to work.

Distinguished name (DN) mapping

The AD Sync Source must be pointed at the top of the DIT, but not every branch under the top of the tree can be easily synchronized.

For example, cn=Users is a container organizational unit (OU) that doesn’t easily convert into a standard OU. Likewise, cn=Builtin is a top-level domain that also contains built-in groups without a purpose in PingDirectory and that don’t need to be synchronized.

To avoid synchronizing entries that are native and apply only to AD, point your Sync Classes at specific OUs.

Schema and attribute mapping

The schema between AD and PingDirectory is not a 1:1 relationship, which means that not all attributes can be directly synchronized.

The following attributes are among those that can be directly synchronized:

  • cn

  • sn

  • mail

Other attributes, such as the AD attribute {{samAccountName}} aren’t defined in PingDirectory by default, and if you don’t define schema for the attribute, you can map it to a similar attribute such as the PingDirectory uid attribute. You should create attribute mappings for each attribute that you want to synchronize between AD and PingDirectory.

Known limitations and workarounds

Tracking group membership changes in AD

The virtual attribute memberOf exists in an AD user entry and contains a list of that user’s group memberships. When group membership changes, AD updates only the group entry member attribute. Therefore, if PingDataSync monitors only memberOf for group membership changes in AD, it won’t detect them.

You can try the following workarounds:

  • Run the resync command periodically.

  • Manually sync the groups between AD and PingDirectory.

    This requires the ability to map DNs between AD and PingDirectory based on the available information, which is often limited.

Syncing passwords from LDAP servers to AD

You can sync passwords from PingDirectory to AD, but syncing passwords directly from other Lightweight Directory Access Protocol (LDAP) servers to AD isn’t supported. You should sync these passwords to PingDirectory first, which allows you to then sync them to AD.

Configuration information

For configuration information and procedures for synchronization between PingDirectory server or other LDAP source servers or targets with Microsoft AD systems, refer to the following:

From PingDirectory to AD

From AD to PingDirectory