Synchronizing Active Directory with PingDirectory
When you use the sync-pipe
tool to configure Active Directory (AD) or AD-LDS as a one-way sync with PingDirectory, three AD password policy state attributes require user input to map to a corresponding PingDirectory attribute.
The following table shows these three attributes, the intermediate attribute that is formed between PingDirectory and AD (or AD-LDS), and the extended operation type used by the PingDirectory server to apply the change.
AD and AD-LDS attribute | Intermediate attribute | PingDirectory attribute | PasswordPolicyStateOperation opType | ||
---|---|---|---|---|---|
|
|
|
|
||
|
|
|
|
||
|
|
|
|
Intermediate attributes only exist in memory on the PingDataSync server so that they can be consumed for attribute mappings. They don’t exist on either the AD server or on the PingDirectory server. |
modifies-as-creates
By default, the modifies-as-creates
sync class property is set to false
.
Active Directory attributes might not be synchronized as expected when the following is true:
-
You are using the
realtime-sync
tool. -
The
modifies-as-creates
sync class property is set totrue
. -
A modification is detected on the source endpoint to a missing entry on the destination endpoint.
-
The modification is to attributes other than the three AD password policy state attributes previously mentioned.
To avoid this known issue, you can run the resync
tool instead of the realtime-sync
tool. Using resync
will correctly copy all attributes. For more information, see The resync
tool.