PingDataSync supports full synchronization for newly created or modified accounts with native password changes between directory server, relational databases, and Microsoft Active Directory (AD) systems.
Considerations
There are three key considerations when synchronizing between AD and PingDirectory:
- The realtime-sync tool
- The realtime-sync tool uses the AD DirSync control to detect changes on entries, which requires the control to be searched at the top of the directory information tree (DIT). Because of this, you must point your AD Sync Source to the top of the AD tree for realtime-sync to work.
- Distinguished name (DN) mapping
- The AD Sync Source must be pointed at the top of the DIT, but not every branch
under the top of the tree can be easily synchronized.
For example,
cn=Users
is a container organizational unit (OU) that doesn't easily convert into a standard OU. Likewise,cn=Builtin
is a top-level domain that also contains built-in groups without a purpose in PingDirectory and that don't need to be synchronized.To avoid synchronizing entries that are native and apply only to AD, point your Sync Classes at specific OUs.
- Schema and attribute mapping
- The schema between AD and PingDirectory is not a
1:1 relationship, which means that not all attributes can be directly
synchronized.
The following attributes are among those that can be directly synchronized:
cn
sn
mail
Other attributes, such as the AD attribute
{{samAccountName}}
aren't defined in PingDirectory by default, and if you don't define schema for the attribute, you can map it to a similar attribute such as the PingDirectoryuid
attribute. You should create attribute mappings for each attribute that you want to synchronize between AD and PingDirectory.
Configuration information
For configuration information and procedures for synchronization between PingDirectory server or other LDAP source servers or targets with Microsoft AD systems, see the following:
- Overview of configuration tasks
- Configuring one way synchronization from Active Directory to PingDirectory
- Mapping AD password policy state attributes to PingDirectory using dsconfig
- Active Directory sync user account
- Preparing external servers
- Configuring sync pipes and sync classes
- Configuring password encryption
- Password Sync Agent