You can use an attribute mapping with a DN map to synchronize groups across server domains. In this task, a DN attribute mapping is used so that the target attribute receives its values directly from a source attribute that stores DN values with the added benefit of using a DN map for translating the group DNs. For more information on available attribute mappings, see About attribute mappings.

  1. Use dsconfig to configure a DN map between groups.

    This example involves mapping an Active Directory group to a PingDirectory group.

    $ bin/dsconfig --no-prompt create-dn-map \
  --map-name "AD-PD map" \
  --set "from-dn-pattern:*,**,dc=example,dc=com" \
  --set "to-dn-pattern:uid={1},{2},dc=example,dc=com" \
  --port 1389 \
  --bindDN "uid=admin,dc=example,dc=com" \
  --bindPassword secret
  2. Use the create-attribute-mapping command to create an attribute mapping.

    This example creates an attribute mapping from the member attribute in Active Directory to the member attribute in PingDirectory.

    $ bin/dsconfig --no-prompt create-attribute-mapping \
  --mapping-name "AD-PD attr mapping" \
  --dn-map "AD-PD map" \
  --type dn \
  --set "description:{member}>{member} attr mapping" \
  --set from-attribute:{member} \
  --set to-attribute:{member}

    If you have not already configured a DN map between the source and destination groups, you can configure a map within the --dn-map option when creating the attribute mapping. The DN map object contains the syntax for mapping the source DN to the destination DN.

    Note:

    If you add specific attributes to the auto-mapped-source-attributes property in the sync class, those attributes will be automatically synced as long as their value formats do not change from the source to the destination server.