Mapping AD password policy state attributes to PingDirectory using `dsconfig`

If you have a working sync configuration between PingDirectory and Active Directory (AD) and want to manage password policy state attributes, use the dsconfig command to map these attributes instead of re-running the sync command.

About this task

To map AD password policy state attributes to PingDirectory attributes:

Steps

Run dsconfig with the create-attribute-mapping option.

Example:

The following example maps the AD attribute lockoutTime to the PingDirectory attribute pwdAccountLockedTime.

dsconfig create-attribute-mapping
	--map-name  "<Microsoft Active Directory Users Attribute Map>"
	--mapping-name pwdAccountLockedTime
	--type direct
	--set from-attribute:pwdAccountLockedTimeFromAD

Example:

The following example maps the AD attribute userAccountControl & (ACCOUNTDISABLE == 2) to the PingDirectory attribute ds-pwp-account-disabled.

dsconfig create-attribute-mapping
	--map-name  "<Microsoft Active Directory Users Attribute Map>"
	--mapping-name ds-pwp-account-disabled
	--type direct
	--set from-attribute:ds-pwp-account-disabled-from-ad

Example:

The following example maps the AD attribute pwdLastSet to the PingDirectory attribute pwdChangedTime.

dsconfig create-attribute-mapping
	--map-name  "<Microsoft Active Directory Users Attribute Map>"
	--mapping-name pwdChangedTime
	--type direct
	--set from-attribute:pwdChangedTimeFromAD

Learn more about synchronizing these AD attributes with PingDirectory in Synchronizing Active Directory with PingDirectory.

PingDirectory

Mapping AD password policy state attributes to PingDirectory using dsconfig

About this task

Steps

Example:

Example:

Example:

Mapping AD password policy state attributes to PingDirectory using `dsconfig`