PingDirectory

Synchronize with Active Directory and other directory servers

PingDataSync supports full synchronization for newly created or modified accounts with native password changes between directory server, relational databases, and Microsoft systems.

Considerations

There are three key considerations when synchronizing between AD and PingDirectory:

The realtime-sync tool

The realtime-sync tool uses the AD DirSync control to detect changes on entries, which requires the control to be searched at the top of the directory information tree (DIT). Because of this, you must point your AD Sync Source to the top of the AD tree for realtime-sync to work.

Distinguished name (DN) mapping

The AD Sync Source must be pointed at the top of the DIT, but not every branch under the top of the tree can be easily synchronized.

For example, cn=Users is a container organizational unit (OU) that doesn’t easily convert into a standard OU. Likewise, cn=Builtin is a top-level domain that also contains built-in groups without a purpose in PingDirectory and that don’t need to be synchronized.

To avoid synchronizing entries that are native and apply only to AD, point your Sync Classes at specific OUs.

Schema and attribute mapping

The schema between AD and PingDirectory is not a 1:1 relationship, which means that not all attributes can be directly synchronized.

The following attributes are among those that can be directly synchronized:

  • cn

  • sn

  • mail

    Other attributes, such as the AD attribute {{samAccountName}} aren’t defined in PingDirectory by default, and if you don’t define schema for the attribute, you can map it to a similar attribute such as the PingDirectory uid attribute. You should create attribute mappings for each attribute that you want to synchronize between AD and PingDirectory.

Configuration information

For configuration information and procedures for synchronization between PingDirectory server or other source servers or targets with Microsoft AD systems, see the following: