Synchronize with Active Directory and other directory servers
PingDataSync supports full synchronization for newly created or modified accounts with native password changes between directory server, relational databases, and Microsoft Active Directory (AD) systems.
Considerations
There are three key considerations when synchronizing between AD and PingDirectory:
- The
realtime-sync
tool -
The
realtime-sync
tool uses the AD DirSync control to detect changes on entries, which requires the control to be searched at the top of the directory information tree (DIT). Because of this, you must point your AD Sync Source to the top of the AD tree forrealtime-sync
to work. - Distinguished name (DN) mapping
-
The AD Sync Source must be pointed at the top of the DIT, but not every branch under the top of the tree can be easily synchronized.
For example,
cn=Users
is a container organizational unit (OU) that doesn’t easily convert into a standard OU. Likewise,cn=Builtin
is a top-level domain that also contains built-in groups without a purpose in PingDirectory and that don’t need to be synchronized.To avoid synchronizing entries that are native and apply only to AD, point your Sync Classes at specific OUs.
- Schema and attribute mapping
-
The schema between AD and PingDirectory is not a 1:1 relationship, which means that not all attributes can be directly synchronized.
The following attributes are among those that can be directly synchronized:
-
cn
-
sn
-
mail
Other attributes, such as the AD attribute
{{samAccountName}}
aren’t defined in PingDirectory by default, and if you don’t define schema for the attribute, you can map it to a similar attribute such as the PingDirectoryuid
attribute. You should create attribute mappings for each attribute that you want to synchronize between AD and PingDirectory. -
Known limitations and workarounds
- Tracking group membership changes in AD
-
The virtual attribute
memberOf
exists in an AD user entry and contains a list of that user’s group memberships. When group membership changes, AD updates only the group entry member attribute. Therefore, if PingDataSync monitors onlymemberOf
for group membership changes in AD, it won’t detect them.You can try the following workarounds:
-
Run the
resync
command periodically. -
Manually sync the groups between AD and PingDirectory.
This requires the ability to map DNs between AD and PingDirectory based on the available information, which is often limited.
-
- Syncing passwords from LDAP servers to AD
-
You can sync passwords from PingDirectory to AD, but syncing passwords directly from other Lightweight Directory Access Protocol (LDAP) servers to AD isn’t supported. You should sync these passwords to PingDirectory first, which allows you to then sync them to AD.