Synchronizing Active Directory with PingDirectory

When you use the sync-pipe tool to configure Active Directory (AD) or AD-LDS as a one-way sync with PingDirectory, three AD password policy state attributes require user input to map to a corresponding PingDirectory attribute.

The following table shows these three attributes, the intermediate attribute that is formed between PingDirectory and AD (or AD-LDS), and the extended operation type used by the PingDirectory server to apply the change.

AD and AD-LDS attribute Intermediate attribute PingDirectory attribute PasswordPolicyStateOperation opType

lockoutTime

pwdAccountLockedTimeFromAD

pwdAccountLockedTime

OP_TYPE_SET_AUTH_FAILURE_TIMES

userAccountControl & (ACCOUNTDISABLE == 2)

In AD-LDS, the corresponding attribute is ms-DS-User-Account-Disabled.

ds-pwp-account-disabled-from-ad

ds-pwp-account-disabled

OP_TYPE_SET_ACCOUNT_DISABLED_STATE

pwdLastSet

pwdChangedTimeFromAD

pwdChangedTime

OP_TYPE_SET_PW_CHANGED_TIME

Intermediate attributes only exist in memory on the PingDataSync server so that they can be consumed for attribute mappings. They don’t exist on either the AD server or on the PingDirectory server.

`modifies-as-creates`

By default, the modifies-as-creates sync class property is set to false.

Active Directory attributes might not be synchronized as expected when the following is true:

You are using the realtime-sync tool.
The modifies-as-creates sync class property is set to true.
A modification is detected on the source endpoint to a missing entry on the destination endpoint.
The modification is to attributes other than the three AD password policy state attributes previously mentioned.

To avoid this known issue, you can run the resync tool instead of the realtime-sync tool. Using resync will correctly copy all attributes. For more information, see The resync tool.