Configure the PingDirectory server backend for synchronizing deletes
About this task
The PingDirectory server’s change log backend’s changelog-deleted-entry-include-attribute property specifies which attributes should be recorded in the change log entry during a DELETE operation. Normally, PingDataSync cannot correlate a deleted entry to the entry on the destination. If a Sync Class is configured with a filter, such as "include-filter: objectClass=person," the objectClass attribute must be recorded in the change log entry. Special correlation attributes (other than DN), will also need to be recorded on the change log entry to be properly synchronized at the endpoint server.
On each PingDirectory server backend, use the dsconfig command to set the property.
$ bin/dsconfig set-backend-prop --backend-name changelog \
--set changelog-deleted-entry-include-attribute:objectClassIf the destination endpoint is an Oracle/Sun DSEE (or Sun DS) server, the Sun DSEE server does not store the value of the user deleting the entry, specified in the modifiers name attribute. It only stores the value of the user who last modified the entry while it still existed.
To set up a Sun DSEE destination endpoint to record the user who deleted the entry, use the Ping Identity Server SDK to create a plugin, as follows:
Steps
-
Update the Sun DSEE schema to include a
deleted-by-syncauxiliaryobjectclass. It will only be used as a marker objectclass, and not require or allow additional attributes to be present on an entry. -
Update the Sun DSEE Retro Change Log plugin to include the
deleted-by-sync auxiliaryobjectclass as a value for thedeletedEntryAttrsattribute. -
Write an
LDAPSyncDestinationPluginscript that in thepreDelete()method modifies the entry that is being deleted to include thedeleted-by-syncobjectclass. -
Update the Sync Class filter that is excluding changes by the Sync User to also include
(!(objectclass=deleted-by-sync)).