PingDirectory

Configuring sync pipes and sync classes

About this task

Perform the following steps to configure Sync Pipes and Sync Classes:

Steps

  1. On the Sync Pipe Name menu, type a unique name to identify the Sync Pipe, or accept the default.

  2. On the Pre-Configured Sync Class Configuration for Active Directory Sync Source menu, enter yes to synchronize user CREATE operations, and enter the object class for the user entries at the destination server, or accept the default (user). To synchronize user MODIFY and DELETE operations from Active Directory (AD), enter yes.

  3. To synchronize passwords from Active Directory, press Enter to accept the default (yes). If synchronizing passwords from Active Directory, install the Ping Identity Password Sync Agent component on each domain controller.

  4. To create a distinguished name (DN) map for the user entries in the Sync Pipe, enter the base DN for the user entries at the Microsoft Active Directory Sync Source, then enter the base DN for the user entries at the PingDataSync Destination.

    A list of basic attribute mappings from the Microsoft Active Directory Source to the PingDirectory Server destination is displayed. More complex attribute mappings involving constructed or DN attribute mappings must be configured with the dsconfig command. The following is a sample mapping.

    Below is a list of the basic mappings that have been set up for user
    entries synchronized from Microsoft Active Directory ->  {pingdir}
    Server. You can add to or modify this list with any direct attribute
    mappings. To set up more complex mappings (such as constructed or DN
    attribute mappings), use the 'dsconfig' tool.
    1) cn -> cn
    2) sn -> sn
    3) givenName -> givenName
    4) description -> description
    5) sAMAccountName -> uid
    6) unicodePwd -> userPassword
  5. Enter the option to add a new attribute mapping. Enter the source attribute, and then enter the destination attribute. The following example maps the telephoneNumber attribute (Active Directory) to the otherTelephone attribute (PingDirectory Server).

    Select an attribute mapping to remove, or choose 'n' to add a new one
    [Press ENTER to continue]: n
    Enter the name of the source attribute: telephoneNumber
    Enter the name of the destination attribute: otherTelephone
  6. If synchronizing group CREATE, MODIFY, and DELETE operations from Active Directory, enter yes.

  7. Review the basic user group mappings.

  8. On the Sync Pipe Sync Class Definitions menu, enter another name for a new Sync Class if required. Repeat steps 2–6 to define this new Sync Class. If no additional Sync Class definitions are required, press Enter to continue.

  9. Review the Sync Pipe Configuration Summary, and accept the default ("write configuration"), which records the commands in a batch file (sync-pipe-cfg.txt). The batch file can be used to set up other topologies. The following summary shows two Sync Pipes and their associated Sync Classes.

    >>>> Configuration Summary
      Sync Pipe: AD to  {pingdir}  Server
        Source: Microsoft Active Directory
          Type: Microsoft Active Directory
          Access Account: cn=Sync
    User,cn=Users,DC=adsync,DC=PingIdentity,DC=com
          Base DN: DC=adsync,DC=PingIdentity,DC=com
          Servers: 10.5.1.149:636
        Destination:  {pingdir}  Server
          Type:  {pingdir}  Server
          Access Account: cn=Sync User,cn=Root DNs,cn=config
          Base DN: dc=example,dc=com
          Servers: localhost:389
        Sync Classes:
          Microsoft Active Directory Users Sync Class
          Base DN: DC=adsync,DC=PingIdentity,DC=com
          Filters: (objectClass=user)
          DN Map: **,CN=Users,DC=adsync,DC=PingIdentity,DC=com ->{1},ou=users,
          dc=example,dc=com
          Synchronized Attributes: Custom set of mappings are defined
          Operations: Creates,Deletes,Modifies
      Sync Pipe:  {pingdir}  Server to AD
        Source:  {pingdir}  Server
          Type:  {pingdir}  Server
          Access Account: cn=Sync User,cn=Root DNs,cn=config
          Base DN: dc=example,dc=com
          Servers: localhost:389
        Destination: Microsoft Active Directory
          Type: Microsoft Active Directory
          Access Account: cn=Sync
    User,cn=Users,DC=adsync,DC=PingIdentity,DC=com
          Base DN: DC=adsync,DC=PingIdentity,DC=com
          Servers: 10.5.1.149:636
        Sync Classes:
            {pingdir}  Server Users Sync Class
          Base DN: dc=example,dc=com
          Filters: (objectClass=inetOrgPerson)
          DN Map: **,ou=users,dc=example,dc=com ->{1},CN=Users,DC=adsync,
          DC=PingIdentity,DC=com
          Synchronized Attributes: Custom set of mappings are defined
          Operations: Creates,Deletes,Modifies
  10. To apply the configuration to the local PingDataSync server instance, type yes. The configuration is recorded at <server-root>/logs/tools/createsync-pipe-config.log.