PingDirectory

Configure the PingDirectory server backend for synchronizing deletes

About this task

The PingDirectory server’s change log backend’s changelog-deleted-entry-include-attribute property specifies which attributes should be recorded in the change log entry during a DELETE operation. Normally, PingDataSync cannot correlate a deleted entry to the entry on the destination. If a Sync Class is configured with a filter, such as "include-filter: objectClass=person," the objectClass attribute must be recorded in the change log entry. Special correlation attributes (other than DN), will also need to be recorded on the change log entry to be properly synchronized at the endpoint server.

On each PingDirectory server backend, use the dsconfig command to set the property.

$ bin/dsconfig set-backend-prop --backend-name changelog \
  --set changelog-deleted-entry-include-attribute:objectClass

If the destination endpoint is an Oracle/Sun DSEE (or Sun DS) server, the Sun DSEE server does not store the value of the user deleting the entry, specified in the modifiers name attribute. It only stores the value of the user who last modified the entry while it still existed.

To set up a Sun DSEE destination endpoint to record the user who deleted the entry, use the Ping Identity Server SDK to create a plugin, as follows:

Steps

  1. Update the Sun DSEE schema to include a deleted-by-syncauxiliary objectclass. It will only be used as a marker objectclass, and not require or allow additional attributes to be present on an entry.

  2. Update the Sun DSEE Retro Change Log plugin to include the deleted-by-sync auxiliary objectclass as a value for the deletedEntryAttrs attribute.

  3. Write an LDAPSyncDestinationPlugin script that in the preDelete() method modifies the entry that is being deleted to include the deleted-by-sync objectclass.

  4. Update the Sync Class filter that is excluding changes by the Sync User to also include (!(objectclass=deleted-by-sync)).