Configuring one way synchronization from Active Directory to PingDirectory
Configure a one-way Sync Pipe with the Active Directory (AD) topology as the sync source and a PingDirectory server topology as the Sync Destination.
About this task
Syncing from AD-LDS to PingDirectory is supported for all features except password syncing.
If you are syncing the |
The Password Sync Agent cannot be pointed at multiple domain clusters. |
Steps
-
From the
server-root
directory, start PingDataSync.$ <server-root>/bin/start-server
-
To set up the initial synchronization topology, run the
sync
tool.$ bin/create-sync-pipe-config
-
In the Create Initial Synchronization Configuration menu, press Enter to continue the configuration.
-
In the Synchronization Mode menu, press Enter to accept the default option
1
forStandard mode
. -
In the Synchronization Direction menu, press Enter to accept the default option
1
forOne way
. -
In the Source Endpoint Type menu, enter option
7
forMicrosoft Active Directory
. -
In the Source Endpoint Name menu, enter a name for the Microsoft AD source server, or press Enter to accept the default value of
Microsoft Active Directory Source
. -
In the <Source Server> Server Security menu, press Enter to accept the default option
1
forSSL
security. -
In the <Source Server> Servers menu, enter the host name and listener port for Lightweight Directory Access Protocol (LDAP) communication with the source server in the format of
<host name>:<port number>
and press Enter.The Data Sync server attempts a connection to the AD source server. After adding the first server, you can add additional servers for the source endpoints that will be prioritized below the first server.
-
When you have finished adding servers, press Enter to continue to the next configuration step.
-
In the Synchronization User Account for <Source Server> menu, enter a user account distinguished name (DN) for the source servers, or press Enter to accept the default value.
The account is used exclusively by the Data Sync Server to communicate with the source external servers.
-
Enter a password for the synchronization user account and press Enter.
The User Account DN password must meet the minimum password requirements for AD domains.
-
In the Destination Endpoint Type menu, press Enter to select the default option
1
forPing Identity Directory Server
. -
In the Destination Endpoint Name menu, enter a name for your destination endpoint, or press Enter to select the default value,
Ping Identity Directory Server Destination
. -
In the Base DNs for <Endpoint Server> menu, enter a base DN where synchronized entries can be found in your endpoint server, or press Enter to accept the default value.
After your initial entry, you can add additional base DNs by following the prompts.
-
When you have finished entering base DNs for synchronized entries, press Enter to continue the configuration.
-
In the <Endpoint Server> Server Security menu, enter the option for the type of security that the Sync Server will use in communication with the endpoint server and press Enter.
-
In the <Endpoint Server> Servers menu, enter the host name and port for LDAP communication in the format of
<host name>:<port number>
and press Enter.The PingDataSync server attempts a connection to the destination PingDirectory server endpoint. After adding the first server, you can add additional servers for the destination endpoints that will be prioritized below the first server.
-
When you have finished adding servers, press Enter to continue to the next configuration step.
-
In the Synchronization User Account for <Endpoint Server> menu, enter a DN for the synchronization user account that will be used in communication with external servers, or press Enter to accept the default value,
[cn=Sync User,cn=Root DNs,cn=config]
. -
Enter a password for the synchronization user account and press Enter.
-
In the Prepare Server <Source Server> menu, press Enter to accept the default option
1
forYes
to prepare the source server for synchronization. -
In the Prepare Server <Endpoint Server> menu, press Enter to accept the default option
1
forYes
to prepare the endpoint server for synchronization. -
In the Sync Pipe Name menu, enter a name for the Sync Pipe from the source server (AD) to the endpoint server (PingDirectory server), or press Enter to select the default value,
Microsoft_Active_Directory_Source_to_Ping_Identity_Directory_Server_Destination
. -
In the Pre-configured Sync Class Configuration for Active Directory Sync Source menu, follow the prompts to create the basic sync classes and attribute mappings needed to synchronize user accounts, user passwords, and groups to and from AD.
-
To synchronize user
Create
,Modify
, andDelete
operations from AD, follow the prompts. -
Enter the object class for user entries at the endpoint, or press Enter to accept the default value,
inetOrgPerson
. -
To configure which password policy state attributes to synchronize, follow the prompts.
For more information on the AD to PingDirectory password policy state attribute mappings, see Synchronizing Active Directory with PingDirectory.
For the referenced password policy state attributes, AD is treated as the authoritative source, because synchronization from PingDirectory to AD is not supported for those attributes.
The password policy in PingDirectory must match the password in AD. For example, the
lockout-failure-count
in PingDirectory must match the account lockout threshold in AD. -
To create a DN map for users in the sync pipe, enter
yes
and press Enter. To not create a DN map, press Enter to accept the default option,no
. -
Review the list of basic mappings set up for synchronized user entries and follow the prompts to add any additional attribute mappings. Press Enter to continue.
-
To synchronize group
Create
,Modify
, andDelete
operations from AD, follow the prompts.
-
-
In the Sync Pipe Sync Class Definitions menu, either press Enter to accept the
Microsoft Active Directory Source Users Sync Class
, or enter a value and press Enter to create a new sync class name. -
Review the Configuration Summary and press Enter to write the configuration file as displayed.
Result:
The server writes the configuration file to a
dsconfig
batch file. -
To apply the configuration changes to the local PingDataSync server, press Enter. (If you don’t want to apply the changes, enter
no
and press Enter.)
Synchronizing Active Directory with PingDirectory
When you use the sync-pipe
tool to configure AD or AD-LDS as a one-way sync with PingDirectory, three AD password policy state attributes require user input to map to a corresponding PingDirectory attribute.
The following table shows these three attributes, the intermediate attribute that is formed between PingDirectory and AD (or AD-LDS), and the extended operation type used by the PingDirectory server to apply the change.
AD and AD-LDS attribute | Intermediate attribute | PingDirectory attribute | PasswordPolicyStateOperation opType | ||
---|---|---|---|---|---|
|
|
|
|
||
|
|
|
|
||
|
|
|
|
Intermediate attributes only exist in memory on the PingDataSync server so that they can be consumed for attribute mappings. They don’t exist on either the AD server or on the PingDirectory server. |
modifies-as-creates
By default, the modifies-as-creates
sync class property is set to false
.
Active Directory attributes might not be synchronized as expected when the following is true:
-
You are using the
realtime-sync
tool. -
The
modifies-as-creates
sync class property is set totrue
. -
A modification is detected on the source endpoint to a missing entry on the destination endpoint.
-
The modification is to attributes other than the three AD password policy state attributes previously mentioned.
To avoid this known issue, you can run the resync
tool instead of the realtime-sync
tool. Using resync
will correctly copy all attributes. For more information, see The resync
command.