--- title: Using the create-sync-pipe tool to configure synchronization description: You can use the create-sync-pipe-config utility to configure a Sync Pipe. After the configuration is completed, you can adjust settings using the dsconfig tool. component: pingdirectory version: 11.0 page_id: pingdirectory:pingdatasync_server_administration_guide:pd_sync_use_create_sync_pipe_tool canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdatasync_server_administration_guide/pd_sync_use_create_sync_pipe_tool.html revdate: September 13, 2023 section_ids: about-this-task: About this task steps: Steps result: Result: next-steps: Next steps --- # Using the create-sync-pipe tool to configure synchronization You can use the `create-sync-pipe-config` utility to configure a Sync Pipe. After the configuration is completed, you can adjust settings using the `dsconfig` tool. ## About this task | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | If servers have no base entries or data, the `cn=Sync User,cn=Root DNs,cn=config` account needed to communicate cannot be created. Make sure that base entries are created on the destination servers. | If synchronizing pre-encoded passwords to a PingDirectory server destination, you must allow pre-encoded passwords in the default password policy. You must also configure [password encryption](pd_sync_config_password_encryption.html) on the destination. Make sure that the password encryption algorithm is supported by both source and destination servers with the following command: ```shell $ bin/dsconfig set-password-policy-prop \ --policy-name "Default Password Policy" \ --set allow-pre-encoded-passwords:true ``` Encrypted and clear-text passwords can be synchronized by configuring the sync destination `password-synchronization-format` and `require-secure-connection-for-clear-text-passwords` properties. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can set the `require-secure-connection-for-clear-text-passwords` property to `false` when working in a test environment.If the `password-synchronization-format` property is set to `clear-text`, and the `require-secure-connection-for-clear-text-passwords` property is set to `true`, the connection must be secure.If a secure connection is not available, an error is generated and the password is not synchronized. | To configure PingDataSync with the `create-sync-pipe-config` command: ## Steps 1. Start PingDataSync: ```shell $ /bin/start-server ``` 2. From the `bin` directory, run the `create-sync-pipe-config` tool: ```shell $bin/create-sync-pipe-config ``` 3. In the **Initial Synchronization Configuration Tool** menu, press Enter (yes) to continue the configuration. 4. In the **Synchronization Mode** menu, press Enter to select **Standard Mode**. 5. In the **Synchronization Directory** menu, select **oneway(1)** or **bidirectional(2)** for the synchronization topology. This example assumes bidirectional synchronization. 6. In the **Source Endpoint Type** menu, select the directory or database server for the first endpoint. 7. In the **Source Endpoint Name** menu, enter a name for the endpoint server, or press Enter to accept the default. 8. In the **Base DNs** menu, enter the base distinguished name (DN) *(tooltip: \
\

A name uniquely identifying an object within the hierarchy of a directory tree.\

\
)* on the first endpoint topology where the entries will be searched. For example, `dc=example,dc=com`. 9. Select an option for the server security. 10. Enter the host name and listener port number for the source server, or accept the default. Make sure that the endpoint servers are online and running. 11. Enter another server host and port, or press Enter to continue. 12. Enter the SyncUser account DN for the endpoint servers, or press Enter to accept the default (`cn=Sync User,cn=RootDNs,cn=config`). 13. Enter and confirm a password for this account. ### Result: You can now configure the servers in the destination endpoint topology. 14. Repeat steps 6– 13 to configure the second server. 15. Define the maximum age of changelog log entries, or press Enter to accept the default. After you configure the source and destination topologies, PingDataSync prepares each external server by testing the connection to each server. Step 15 determines if each account has the necessary privileges (root privileges are required) to communicate with and transfer data to each endpoint during synchronization. 16. In the **Sync Pipe Name** menu, create a name for the Sync Pipe, or press Enter to accept the default. Because this configuration is bidirectional, the following step is setting up a Sync Pipe path from the source endpoint to the destination endpoint. A later step will define another Sync Pipe from the PingDirectory server to another server. 17. In the **SyncClass Definitions** menu, enter `Yes` to create a custom Sync Class. A Sync Class defines the operation types (creates, modifies, or deletes), attributes that are synchronized, how attributes and DNs are mapped, and how source and destination entries are correlated. 18. Enter a name for the new Sync Class, such as `server1_to_server2`. 19. In the **Base DNs for Sync Class** menu, enter one or more base DNs to synchronize specific subtrees of a directory information tree (DIT). | | | | - | ------------------------------------------------------------------------------------------------------------------- | | | Entries outside of the specified base DNs are excluded from synchronization. Make sure the base DNs do not overlap. | 20. In the **Filters for Sync Class** menu, define one or more LDAP search filters to restrict specific entries for synchronization, or press Enter to accept the default (no). Entries that do not match the filters are excluded from synchronization. 21. In the **Synchronized Attributes for Sync Class** menu, specify which user attributes will be automatically mapped from one system to another. This example will exclude the source attribute (`email`) from being auto-mapped to the target servers. Operational attributes are not included in any attribute mapping. 22. In the **Operations for Sync Class** menu, select the operations to synchronize for the Sync Class, or press Enter to accept the default (`1,2,3`). 23. Define a default Sync Class that specifies how the other entries are processed, or press Enter to create a Sync Class called `Default Sync Class`. 24. In the **Default Sync Class Operations** menu, specify the operations that the default Sync Class will handle during synchronization, or press Enter to accept the default. 25. Define a Sync Pipe going from the PingDirectory server to the Sun Directory Server and exclude the `mail` attribute from being synchronized to the other endpoint servers. 26. Review the Sync Pipe Configuration Summary, and press Enter to accept the default (write configuration), which records the commands in a batch file (`/sync-pipe-cfg.txt`). You can reuse the batch file to set up other topologies. ## Next steps Apply the configuration changes to the local PingDataSync instance by using a `dsconfig` batch file. Any Server SDK extensions should be saved to the `/lib/extensions` directory. The next step is to configure the attribute mappings using the `dsconfig` command.