Syncing passwords to PingOne
To sync passwords with PingOne, the PingDirectory server maps the userPassword
attribute to the password
attribute through a direct attribute mapping. (IBM Security Directory and the IBM Tivoli Directory servers return the userPassword
attribute value as userPassword;binary
.)
About this task
To sync passwords from thePingDirectory server to PingOne:
Steps
-
To create a direct attribute mapping, run the following.
dsconfig create-attribute-mapping \ --map-name PingDirectory_to_PingOne_User_Map \ --mapping-name password \ --type direct \ --set from-attribute:userPassword
The PingDataSync server can synchronize passwords that have been encrypted by PingDirectory server or a hashed version of the password, depending on how an administrator chooses to store passwords on PingDirectory server.
-
To sync passwords from a generic relational database management system (RDBMS), create a direct attribute mapping with the
from-attribute
being whichever attribute the RDBMS uses to store the password.RDBMS passwords cannot be encrypted and should be hashed with a scheme that PingDirectory server recognizes.
The PingDataSync server cannot synchronize passwords between PingOne systems, because PingDataSync cannot retrieve passwords from PingOne.
Example:
In the following example, the RDBMS uses the
dbPassword
attribute to store the password.dsconfig create-attribute-mapping \ --map-name Generic_RDBMS_to_PingOne_User_Map \ --mapping-name password \ --type direct \ --set from-attribute:dbPassword