PingDirectory

Configure the sync pipe, sync classes, and evaluation order

About this task

Configure a Sync Pipe for Lightweight Directory Access Protocol (LDAP) to System for Cross-domain Identity Management (SCIM) synchronization, create Sync classes for the Sync Pipe, and set the evaluation order index for the Sync classes.

The synchronization mode must be set to standard. Notification mode cannot be used with SCIM.

Steps

  1. After the source and destination endpoints have been configured, configure the Sync Pipe for LDAP to SCIM synchronization. Run dsconfig to configure an LDAP-to-SCIM Sync Pipe:

    $ bin/dsconfig create-sync-pipe \
  --pipe-name ldap-to-scim \
  --set sync-source:source \
  --set sync-destination:scim

  2. The next set of steps define three Sync Classes. The first Sync Class is used to match user entries in the Sync Source. The second class is used to match group entries. The third class is a DEFAULT class that is used to match all other entries.

    Run dsconfig to create the first Sync Class and set the Sync Pipe Name and Sync Class name:

    $ bin/dsconfig create-sync-class \
  --pipe-name ldap-to-scim \
  --class-name user

  3. Run dsconfig to set the base distinguished name (DN) and filter for this Sync class. The include-base-dn property specifies the base DN in the source, which is ou=people,dc=example,dc=com by default. This Sync Class is invoked only for changes at the ou=people level. The include-filter property specifies an LDAP filter that tells PingDataSync to include inetOrgPerson entries as user entries. The destination-correlation-attributes specifies LDAP attributes that allow PingDataSync to find the destination resource on the SCIM server. The value of this property will vary. See Identify a SCIM resource at the destination for details.

    $ bin/dsconfig set-sync-class-prop \
  --pipe-name ldap-to-scim \
  --class-name user \
  --add include-base-dn:ou=people,dc=example,dc=com \
  --add "include-filter:(objectClass=inetOrgPerson)" \
  --set destination-correlation-attributes:externalId

  4. Create a second Sync class, which is used to match group entries:

    $ bin/dsconfig create-sync-class \
  --pipe-name ldap-to-scim \
  --class-name group

  5. For the second Sync class, set the base DN and the filters to match the group entries.

    $ bin/dsconfig set-sync-class-prop \
  --pipe-name ldap-to-scim \
  --class-name group \
  --add include-base-dn:ou=groups,dc=example,dc=com \
  --add "include-filter:(|(objectClass=groupOfEntries)\
    (objectClass=groupOfNames)(objectClass=groupOfUniqueNames)\
    (objectClass=groupOfURLs))"

  6. For the third Sync class, create a DEFAULT Sync class that is used to match all other entries. To synchronize changes from only user and group entries, set synchronize-creates, synchronize-modifies, and synchronize-delete to false.

    $ bin/dsconfig create-sync-class \
  --pipe-name ldap-to-scim \
  --class-name DEFAULT \
  --set evaluation-order-index:99999 \
  --set synchronize-creates:false \
  --set synchronize-modifies:false \
  --set synchronize-deletes:false

  7. After all of the Sync classes needed by the Sync Pipe are configured, set the evaluation order index for each Sync class. Classes with a lower number are evaluated first. Run dsconfig to set the evaluation order index for the Sync class. The actual number depends on the deployment.

    $ bin/dsconfig set-sync-class-prop \
  --pipe-name ldap-to-scim \
  --class-name user \
  --set evaluation-order-index:100