PingDirectory

Configure sync classes

Sync classes specify how to handle different kinds of entries read from the sync source when preparing to synchronize them to the sync destination.

When synchronizing to a System for Cross-domain Identity Management (SCIM) 2.0 server, you should have at least one sync class for each endpoint. The most important configuration properties you might need to specify include:

evaluation-order-index

A numeric value that indicates the order in which the sync class should be evaluated relative to other classes that are associated with the same sync pipe. Each class should have a different index, and classes will be examined in ascending order from lowest index to highest. The first class that is appropriate for a given type of change (based on criteria like the base distinguished name (DN), filter, and change type) will be used. This is required, but if you only have a single sync class for a sync pipe, then you can just use the default value of 9999.

include-base-dn

An optional base DN for source entries on which this sync class can operate. For example, if you are synchronizing users from an Lightweight Directory Access Protocol (LDAP) server, and if all of the users you want to synchronize are below ou=People,dc=example,dc=com, then you could use that as the base DN.

include-filter

An optional filter to use to determine which kinds of entries on which this sync class can operate. If a source entry does not match this filter, the sync class will not be used. For example, if the user entries you want to synchronize all have the inetOrgPerson object class, then you could use a filter of (objectClass=inetOrgPerson).

attribute-map

An optional attribute map to identify and convert source attributes for use in the destination entry.

This is different from the SCIM 2.0 attribute mapping that will be used by the SCIM 2.0 sync destination in that it is more general and is not tied to any specific type of destination. In some advanced use cases, you might need to provide values for this property (especially if you need to apply transformations that SCIM 2.0 attribute mappings can’t do on their own), but in many cases, the auto-mapped-source-attribute property will be sufficient.

auto-mapped-source-attribute

A list of the attributes that should be automatically mapped from the source entry to the destination (before any SCIM 2.0 attribute mapping is applied, which might narrow down the set of attributes that will actually be used, and which might apply additional transformations). This might be a list of specific attribute names, but you can also use the special value -all- to indicate that all attributes from the source entry should be mapped to destination, or the value of -none- to indicate that no attributes should be automatically mapped and that only those attributes referenced in the attribute-map property should be included. This is required.

synchronize-creates

Indicates whether to attempt to synchronize new entries created in the sync source to the destination. This property has a default value of true.

synchronize-modifies

Indicates whether to attempt to synchronize changes to existing entries created in the sync source to the destination. This property has a default value of true.

synchronize-deletes

Indicates whether to attempt to synchronize entries removed from the sync source to the destination. This property has a default value of true.

attribute-comparison-method

The method to use when comparing attributes between the source and destination versions of an entry to see if the value has changed. If specified, the value should be one of:

  • syntax-based – Uses the syntax and matching rules for the associated attribute type to determine whether a value has changed. This is the default behavior, and it might ignore changes that aren’t considered significant by the equality matching rule (for example, if the value differs only in its use of capitalization in an attribute that uses case-insensitive matching).

  • byte-for-byte – Uses a byte-for-byte comparison of the source and destination versions of each value to determine whether it was changed. Any difference in the value will be considered significant, even if it would not have been considered significant in accordance with the syntax and matching rules.

modifies-as-creates

Indicates how the server should behave if an existing entry is modified in the sync source, but no corresponding version of that entry is found in the sync destination. By default, the value is false, and the synchronization operation will fail, leaving the entry absent from the destination. However, if this property is set to true, then the entry will be created in the destination.

creates-as-modifies

Indicates how the server should behave if a new entry is created in the sync source, but a corresponding version of that entry already exists in the sync destination. By default, the value is false, and the synchronization operation will fail, leaving the existing destination entry unchanged. However, if this property is set to true, then the source and destination versions of the entry will be compared, and the add might be converted into a modify if any differences are identified.

plugin

An optional set of plugins that can be invoked when mapping entries from the source to the destination.

You can use the following example configuration change to create a sync class:

dsconfig create-sync-class \
     --pipe-name "LDAP Source to SCIMv2 Destination" \
     --class-name "User Class" \
     --set include-base-dn:ou=People,dc=example,dc=com \
     --set include-filter:(objectClass=inetOrgPerson) \
     --set auto-mapped-source-attribute:-all-