PingDirectory

Overview of configuration tasks

PingDataSync supports bidirectional synchronization between PingDirectory and Active Directory (AD). This section describes the configuration tasks that are necessary to synchronize changes to Active Directory systems. To view an example configuration, see the file located in the <server-root>/config/sample-dsconfig-batch-files/reference-bidirectional-sync-activedirectory-pingdirectory.dsconfig directory.

Enable SSL connections

If you are synchronizing passwords between systems, Active Directory systems require that SSL be enabled on the Active Directory domain controller, so that PingDataSync can securely propagate the cn=Sync User account password and other user passwords to the target.

Run the create-sync-pipe-config tool

On the PingDataSync server, use the create-sync-pipe-config tool to configure the Sync Pipes to communicate with the Active Directory source or target.

Configure outbound password synchronization on an PingDirectory Server Sync Source

After running the create-sync-pipe-config tool, determine if outbound password synchronization from a PingDirectory server Sync Source is required. If so, enable the Password Encryption component on all PingDirectory server sources that receive password modifications. The PingDirectory server uses the Password Encryption component to intercept password modifications and add an encrypted attribute, ds-changelog-encrypted-password, to the changelog entry. The component enables passwords to be synchronized securely to the Active Directory system, which uses a different password storage scheme. The encrypted attribute appears in the change log and is synchronized to the other servers, but does not appear in the entries.

Configure outbound password synchronization on an Active Directory Sync Source

After running the create-sync-pipe-config tool, determine if outbound password synchronization from an Active Directory Sync Source is required. If so, install the Password Sync Agent (PSA) after configuring PingDataSync.

Run the realtime-sync set-startpoint tool

The realtime-sync set-startpoint command can take several minutes to run, because it must issue repeated searches of the Active Directory domain controller until it has paged through all the changes and received a cookie that is up-to-date. NOTE: If the Password Sync Agent is down for any length of time and misses a password change, these changes will not be synced on recovery without either a new password change for the entry or the use of pass-through authentication. The Password Sync Agent cannot be pointed at multiple domain clusters.