Configure DN maps
Similar to attribute maps, DN maps define mappings when destination DNs differ from source DNs. These differences must be resolved using DN maps in order for synchronization to successfully take place. For example, the Sync Source could have a DN in the following format:
uid=jdoe,ou=People,dc=example,dc=com
while the Sync Destination could have the standard X.500 DN format.
DN mappings allow the use of wildcards for DN transformations. A single wildcard (*
) matches a single RDN component and can be used any number of times. The double wildcard (**) matches zero or more RDN components and can be used only once.
If a literal '*' is required in a DN, it must be escaped as |
The wildcard values can be used in the to-dn-pattern
attribute using {1} to replace their original index position in the pattern, or {attr} to match an attribute value. For example:
*,**,dc=com->{1},ou=012,o=example,c=us
For example, using the DN, uid=johndoe,ou=People,dc=example,dc=com
, and mapping to the target DN, uid=johndoe,ou=012,o=example,c=us
:
-
"*"
matches one RDN component,uid=johndoe
-
"**"
matches zero or more RDN components,ou=People,dc=example
-
"dc=com"
matchesdc=com
in the DN.
The DN is mapped to the {1},ou=012,o=example,c=us
. "{1}"
substitutes the first wildcard element "uid=johndoe"
, so that the DN is successfully mapped to:
uid=johndoe,ou=012,o=example,c=us
Regular expressions and attributes from the user entry can also be used in the to-dn-pattern
attribute. For example, the following expression constructs a value for the uid
attribute, which is the RDN, out of the initials (first letter of given name and sn
) and the employee ID (the eid
attribute) of a user.
uid={givenname:/^(.)(.*)/$1/s}{sn:/^(.)(.*)/$1/s}{eid},{2},o=example
PingDataSync automatically validates any DN mapping before applying the configuration. |
Configuring a DN map by using dsconfig
About this task
You can configure a DN map by using dsconfig
, either with the interactive DN Map menu, or from the command line.
Perform the following to configure a DN map:
Steps
-
Use
dsconfig
to create a DN map for PingDataSync.$ bin/dsconfig --no-prompt create-dn-map \ --map-name nested-to-flattened \ --set "from-dn-pattern:*,**,dc=example,dc=com" \ --set "to-dn-pattern:uid={1},{2},dc=example,dc=com" \ --port 1389 \ --bindDN "uid=admin,dc=example,dc=com" \ --bindPassword secret
-
After DN mappings are configured, add the new DN map to a new Sync Class or modify an existing Sync Class.
$ bin/dsconfig --no-prompt set-sync-class-prop \ --pipe-name test-sync-pipe \ --class-name test-sync-class \ --set dn-map:test-dn-map \ --port 389 --bindDN "uid=admin,dc=example,dc=com" \ --bindPassword secret
Configuring a group mapping with attribute mappings
About this task
You can use an attribute mapping with a DN map to synchronize groups across server domains. In this task, a DN attribute mapping is used so that the target attribute receives its values directly from a source attribute that stores DN values with the added benefit of using a DN map for translating the group DNs. For more information on available attribute mappings, see About attribute mappings.
Steps
-
Use
dsconfig
to configure a DN map between groups.Example:
This example involves mapping an Active Directory group to a PingDirectory group.
$ bin/dsconfig --no-prompt create-dn-map \ --map-name "AD-PD map" \ --set "from-dn-pattern:*,**,dc=example,dc=com" \ --set "to-dn-pattern:uid={1},{2},dc=example,dc=com" \ --port 1389 \ --bindDN "uid=admin,dc=example,dc=com" \ --bindPassword secret
-
Use the
create-attribute-mapping
command to create an attribute mapping.Example:
This example creates an attribute mapping from the
member
attribute in Active Directory to themember
attribute in PingDirectory.$ bin/dsconfig --no-prompt create-attribute-mapping \ --mapping-name "AD-PD attr mapping" \ --dn-map "AD-PD map" \ --type dn \ --set "description:{member}>{member} attr mapping" \ --set from-attribute:{member} \ --set to-attribute:{member}
If you have not already configured a DN map between the source and destination groups, you can configure a map within the
--dn-map
option when creating the attribute mapping. The DN map object contains the syntax for mapping the source DN to the destination DN.If you add specific attributes to the
auto-mapped-source-attributes
property in the sync class, those attributes will be automatically synced as long as their value formats do not change from the source to the destination server.