PingDirectory

Configuring one way synchronization from Active Directory to PingDirectory

Configure a one-way Sync Pipe with the Active Directory (AD) topology as the sync source and a PingDirectory server topology as the Sync Destination.

About this task

Syncing from AD-LDS to PingDirectory is supported for all features except password syncing.

If you are syncing the lockoutTime, userAccountControl & (ACCOUNTDISABLE == 2), or pwdLastSet AD attributes, or the AD-LDS ms-DS-User-Account-Disabled attribute, see Synchronizing Active Directory with PingDirectory.

The Password Sync Agent cannot be pointed at multiple domain clusters.

Steps

  1. From the server-root directory, start PingDataSync.

    $ <server-root>/bin/start-server
  2. To set up the initial synchronization topology, run the sync tool.

    $ bin/create-sync-pipe-config
  3. In the Create Initial Synchronization Configuration menu, press Enter to continue the configuration.

  4. In the Synchronization Mode menu, press Enter to accept the default option 1 for Standard mode.

  5. In the Synchronization Direction menu, press Enter to accept the default option 1 for One way.

  6. In the Source Endpoint Type menu, enter option 7 for Microsoft Active Directory.

  7. In the Source Endpoint Name menu, enter a name for the Microsoft AD source server, or press Enter to accept the default value of Microsoft Active Directory Source.

  8. In the <Source Server> Server Security menu, press Enter to accept the default option 1 for SSL security.

  9. In the <Source Server> Servers menu, enter the host name and listener port for Lightweight Directory Access Protocol (LDAP) communication with the source server in the format of <host name>:<port number> and press Enter.

    The Data Sync server attempts a connection to the AD source server. After adding the first server, you can add additional servers for the source endpoints that will be prioritized below the first server.

  10. When you have finished adding servers, press Enter to continue to the next configuration step.

  11. In the Synchronization User Account for <Source Server> menu, enter a user account distinguished name (DN) for the source servers, or press Enter to accept the default value.

    The account is used exclusively by the Data Sync Server to communicate with the source external servers.

  12. Enter a password for the synchronization user account and press Enter.

    The User Account DN password must meet the minimum password requirements for AD domains.

  13. In the Destination Endpoint Type menu, press Enter to select the default option 1 for Ping Identity Directory Server.

  14. In the Destination Endpoint Name menu, enter a name for your destination endpoint, or press Enter to select the default value, Ping Identity Directory Server Destination.

  15. In the Base DNs for <Endpoint Server> menu, enter a base DN where synchronized entries can be found in your endpoint server, or press Enter to accept the default value.

    After your initial entry, you can add additional base DNs by following the prompts.

  16. When you have finished entering base DNs for synchronized entries, press Enter to continue the configuration.

  17. In the <Endpoint Server> Server Security menu, enter the option for the type of security that the Sync Server will use in communication with the endpoint server and press Enter.

  18. In the <Endpoint Server> Servers menu, enter the host name and port for LDAP communication in the format of <host name>:<port number> and press Enter.

    The PingDataSync server attempts a connection to the destination PingDirectory server endpoint. After adding the first server, you can add additional servers for the destination endpoints that will be prioritized below the first server.

  19. When you have finished adding servers, press Enter to continue to the next configuration step.

  20. In the Synchronization User Account for <Endpoint Server> menu, enter a DN for the synchronization user account that will be used in communication with external servers, or press Enter to accept the default value, [cn=Sync User,cn=Root DNs,cn=config].

  21. Enter a password for the synchronization user account and press Enter.

  22. In the Prepare Server <Source Server> menu, press Enter to accept the default option 1 for Yes to prepare the source server for synchronization.

  23. In the Prepare Server <Endpoint Server> menu, press Enter to accept the default option 1 for Yes to prepare the endpoint server for synchronization.

  24. In the Sync Pipe Name menu, enter a name for the Sync Pipe from the source server (AD) to the endpoint server (PingDirectory server), or press Enter to select the default value, Microsoft_Active_Directory_Source_to_Ping_Identity_Directory_Server_Destination.

  25. In the Pre-configured Sync Class Configuration for Active Directory Sync Source menu, follow the prompts to create the basic sync classes and attribute mappings needed to synchronize user accounts, user passwords, and groups to and from AD.

    1. To synchronize user Create, Modify, and Delete operations from AD, follow the prompts.

    2. Enter the object class for user entries at the endpoint, or press Enter to accept the default value, inetOrgPerson.

    3. To configure which password policy state attributes to synchronize, follow the prompts.

      For more information on the AD to PingDirectory password policy state attribute mappings, see Synchronizing Active Directory with PingDirectory.

      For the referenced password policy state attributes, AD is treated as the authoritative source, because synchronization from PingDirectory to AD is not supported for those attributes.

      The password policy in PingDirectory must match the password in AD. For example, the lockout-failure-count in PingDirectory must match the account lockout threshold in AD.

    4. To create a DN map for users in the sync pipe, enter yes and press Enter. To not create a DN map, press Enter to accept the default option, no.

    5. Review the list of basic mappings set up for synchronized user entries and follow the prompts to add any additional attribute mappings. Press Enter to continue.

    6. To synchronize group Create, Modify, and Delete operations from AD, follow the prompts.

  26. In the Sync Pipe Sync Class Definitions menu, either press Enter to accept the Microsoft Active Directory Source Users Sync Class, or enter a value and press Enter to create a new sync class name.

  27. Review the Configuration Summary and press Enter to write the configuration file as displayed.

    Result:

    The server writes the configuration file to a dsconfig batch file.

  28. To apply the configuration changes to the local PingDataSync server, press Enter. (If you don’t want to apply the changes, enter no and press Enter.)

Synchronizing Active Directory with PingDirectory

When you use the sync-pipe tool to configure AD or AD-LDS as a one-way sync with PingDirectory, three AD password policy state attributes require user input to map to a corresponding PingDirectory attribute.

The following table shows these three attributes, the intermediate attribute that is formed between PingDirectory and AD (or AD-LDS), and the extended operation type used by the PingDirectory server to apply the change.

AD and AD-LDS attribute Intermediate attribute PingDirectory attribute PasswordPolicyStateOperation opType

lockoutTime

pwdAccountLockedTimeFromAD

pwdAccountLockedTime

OP_TYPE_SET_AUTH_FAILURE_TIMES

userAccountControl & (ACCOUNTDISABLE == 2)

In AD-LDS, the corresponding attribute is ms-DS-User-Account-Disabled.

ds-pwp-account-disabled-from-ad

ds-pwp-account-disabled

OP_TYPE_SET_ACCOUNT_DISABLED_STATE

pwdLastSet

pwdChangedTimeFromAD

pwdChangedTime

OP_TYPE_SET_PW_CHANGED_TIME

Intermediate attributes only exist in memory on the PingDataSync server so that they can be consumed for attribute mappings. They don’t exist on either the AD server or on the PingDirectory server.

modifies-as-creates

By default, the modifies-as-creates sync class property is set to false.

Active Directory attributes might not be synchronized as expected when the following is true:

  • You are using the realtime-sync tool.

  • The modifies-as-creates sync class property is set to true.

  • A modification is detected on the source endpoint to a missing entry on the destination endpoint.

  • The modification is to attributes other than the three AD password policy state attributes previously mentioned.

To avoid this known issue, you can run the resync tool instead of the realtime-sync tool. Using resync will correctly copy all attributes. For more information, see The resync command.