PingDirectory

Configure the PingDirectory server sync source

About this task

Configure the Sync source for the synchronization network. More than one external server can be configured to act as the Sync source for failover purposes. If the source is a PingDirectory server, also configure the following items:

  • Enable the changelog password encryption plugin on any directory server that will receive password modifications. This plugin intercepts password modifications, encrypts the password, and adds an encrypted attribute to the change log entry.

  • Configure the changelog-deleted-entry-include-attribute property on the changelog backend, so that PingDataSync can record which attributes were removed during a DELETE operation.

Perform the following steps to configure the Sync source:

Steps

  1. Run the dsconfig command to configure the external server as the Sync source. Based on the previous example where the PingDirectory server was configured as source-ds, run the following command:

    $ bin/dsconfig create-sync-source --source-name source \
      --type ping-identity \
      --set base-dn:dc=example,dc=com \
      --set server:source-ds \
      --set use-changelog-batch-request:true
  2. Enable the change log password encryption plugin on any server that receives password modifications. The encryption key can be copied from the output, if displayed, or accessed from the <server-root>/bin/sync-pipe-cfg.txt file, if the create-sync-pipe-config tool was used to create the sync pipe.

    $ bin/dsconfig set-plugin-prop \
      --plugin-name "Changelog Password Encryption" \
      --set enabled:true \
      --set changelog-password-encryption-key:<key>
  3. On PingDataSync, set the decryption key used to decrypt the user password value in the change log entries. The key allows the user password to be synchronized to other servers that do not use the same password storage scheme.

    $ bin/dsconfig set-global-sync-configuration-prop \
      --set changelog-password-decryption-key:ej5u9e39pq-68
  4. Configure the changelog-deleted-entry-include-attribute property on the changelog backend.

    $ bin/dsconfig set-backend-prop --backend-name changelog \
      --set changelog-deleted-entry-include-attribute:objectClass