PingDirectory

Overview of configuration tasks

PingDataSync supports bidirectional synchronization between PingDirectory and Active Directory (AD). This topic describes the required configuration tasks for synchronizing changes to AD systems.

You can find an example configuration in the <server-root>/config/sample-dsconfig-batch-files/reference-bidirectional-sync-activedirectory-pingdirectory.dsconfig file.
Enable SSL connections

If you are synchronizing passwords between systems, you must enable SSL on the AD domain controller to enable PingDataSync to securely propagate the cn=Sync User account password (and other user passwords) to the target.

Run the create-sync-pipe-config tool

On the PingDataSync server, use the create-sync-pipe-config tool to configure the sync pipes to communicate with the AD source or target.

Configure outbound password synchronization on a PingDirectory server sync source

After running the create-sync-pipe-config tool, determine if outbound password synchronization from a PingDirectory server sync source is required. If so, enable the Password Encryption component on all PingDirectory server sources that receive password modifications.

The PingDirectory server uses the Password Encryption component to intercept password modifications and add an encrypted attribute, ds-changelog-encrypted-password, to the changelog entry. The component enables passwords to be synchronized securely to the AD system, which uses a different password storage scheme. The encrypted attribute appears in the changelog and gets synchronized to the other servers, but doesn’t appear in the entries.

Configure outbound password synchronization on an AD sync source

After running the create-sync-pipe-config tool, determine if outbound password synchronization from an AD sync source is required. If so, install the Password Sync Agent (PSA) after configuring PingDataSync. The PSA can’t be pointed at multiple domain clusters.

Run the realtime-sync set-startpoint tool

The realtime-sync set-startpoint tool can take several minutes to run, because it must issue repeated searches of the AD domain controller until it has paged through all the changes and received an up-to-date cookie.

If the PSA is down for any length of time and misses a password change, these changes won’t be synced on recovery without either a new password change for the entry or the use of pass-through authentication.