Overview of configuration tasks - PingDirectory - PingDataSync

Overview of configuration tasks - PingDirectory - PingDataSync - 10.0

PingDirectory 10.0

bundle

pingdirectory-100

ft:publication_title

PingDirectory 10.0

Product_Version_ce

PingDirectory 10.0 (Latest)

category

Product

pd-100

pingdirectory

ContentType_ce

PingDataSync supports bidirectional synchronization between PingDirectory and Active Directory (AD). This section describes the configuration tasks that are necessary to synchronize changes to Active Directory systems. To view an example configuration, see the file located in the <server-root>/config/sample-dsconfig-batch-files/reference-bidirectional-sync-activedirectory-pingdirectory.dsconfig directory.

Enable SSL connections: If you are synchronizing passwords between systems, Active Directory systems require that SSL be enabled on the Active Directory domain controller, so that PingDataSync can securely propagate the cn=Sync User account password and other user passwords to the target.
Run the create-sync-pipe-config tool: On the PingDataSync server, use the create-sync-pipe-config tool to configure the Sync Pipes to communicate with the Active Directory source or target.
Configure outbound password synchronization on an PingDirectory Server Sync Source: After running the create-sync-pipe-config tool, determine if outbound password synchronization from a PingDirectory server Sync Source is required. If so, enable the Password Encryption component on all PingDirectory server sources that receive password modifications. The PingDirectory server uses the Password Encryption component to intercept password modifications and add an encrypted attribute, ds-changelog-encrypted-password, to the changelog entry. The component enables passwords to be synchronized securely to the Active Directory system, which uses a different password storage scheme. The encrypted attribute appears in the change log and is synchronized to the other servers, but does not appear in the entries.
Configure outbound password synchronization on an Active Directory Sync Source: After running the create-sync-pipe-config tool, determine if outbound password synchronization from an Active Directory Sync Source is required. If so, install the Password Sync Agent (PSA) after configuring PingDataSync.
Run the realtime-sync set-startpoint tool: The realtime-sync set-startpoint command can take several minutes to run, because it must issue repeated searches of the Active Directory domain controller until it has paged through all the changes and received a cookie that is up-to-date.

Note: If the Password Sync Agent is down for any length of time and misses a password change, these changes will not be synced on recovery without either a new password change for the entry or the use of pass-through authentication. The Password Sync Agent cannot be pointed at multiple domain clusters.