Authentication and authorization

The PingDirectory server uses a simple authentication model to authorize replication servers.

After it’s authenticated, the remote PingDirectory server is fully authorized to exchange replication messages with the local PingDirectory server. There’s no other access control in place.

Authentication in the replication protocol is based on public key cryptography using TLS client certificate authentication. The certificate used for authentication is stored in the ads-truststore backend of the PingDirectory server.

During replication setup, the command-line utility distributes public keys to all PingDirectory servers to establish trust between the servers and to enable TLS client authentication.

Replication relies on server-to-server traffic. For custom inter-server certificates, you should use mTLS certificates instead of web certificates. The certificates should have both clientAuth and serverAuth extensions.