PingDirectory

Mapping AD password policy state attributes to PingDirectory using dsconfig

If you have a working sync configuration between PingDirectory and Active Directory (AD) and want to manage password policy state attributes, use the dsconfig command to map these attributes instead of re-running the sync command.

About this task

To map AD password policy state attributes to PingDirectory attributes:

Steps

  • Run dsconfig with the create-attribute-mapping option.

    Example:

    The following example maps the AD attribute lockoutTime to the PingDirectory attribute pwdAccountLockedTime.

    dsconfig create-attribute-mapping
    	--map-name  "<Microsoft Active Directory Users Attribute Map>"
    	--mapping-name pwdAccountLockedTime
    	--type direct
    	--set from-attribute:pwdAccountLockedTimeFromAD

    Example:

    The following example maps the AD attribute userAccountControl & (ACCOUNTDISABLE == 2) to the PingDirectory attribute ds-pwp-account-disabled.

    dsconfig create-attribute-mapping
    	--map-name  "<Microsoft Active Directory Users Attribute Map>"
    	--mapping-name ds-pwp-account-disabled
    	--type direct
    	--set from-attribute:ds-pwp-account-disabled-from-ad

    Example:

    The following example maps the AD attribute pwdLastSet to the PingDirectory attribute pwdChangedTime.

    dsconfig create-attribute-mapping
    	--map-name  "<Microsoft Active Directory Users Attribute Map>"
    	--mapping-name pwdChangedTime
    	--type direct
    	--set from-attribute:pwdChangedTimeFromAD

    For more information about synchronizing these AD attributes with PingDirectory, see Synchronizing Active Directory with PingDirectory.