PingDataSync supports bidirectional synchronization between PingDirectory and Active Directory (AD). This section describes the configuration tasks that are necessary to synchronize changes to Active Directory systems. To view an example configuration, see the file located in the <server-root>/config/sample-dsconfig-batch-files/reference-bidirectional-sync-activedirectory-pingdirectory.dsconfig directory.
- Enable SSL connections
- If you are synchronizing passwords between systems, Active
Directory systems require that SSL be enabled on the Active
Directory domain controller, so that PingDataSync can
securely propagate the
cn=Sync User
account password and other user passwords to the target. - Run the create-sync-pipe-config tool
- On the PingDataSync server, use the create-sync-pipe-config tool to configure the Sync Pipes to communicate with the Active Directory source or target.
- Configure outbound password synchronization on an PingDirectory Server Sync Source
- After running the create-sync-pipe-config
tool, determine if outbound password synchronization from a
PingDirectory server
Sync Source is required. If so, enable the Password
Encryption component on all PingDirectory server sources
that receive password modifications. The PingDirectory server uses the
Password Encryption component to intercept password
modifications and add an encrypted attribute,
ds-changelog-encrypted-password
, to the changelog entry. The component enables passwords to be synchronized securely to the Active Directory system, which uses a different password storage scheme. The encrypted attribute appears in the change log and is synchronized to the other servers, but does not appear in the entries. - Configure outbound password synchronization on an Active Directory Sync Source
- After running the create-sync-pipe-config tool, determine if outbound password synchronization from an Active Directory Sync Source is required. If so, install the Password Sync Agent (PSA) after configuring PingDataSync.
- Run the realtime-sync set-startpoint tool
- The realtime-sync set-startpoint command can take several minutes to run, because it must issue repeated searches of the Active Directory domain controller until it has paged through all the changes and received a cookie that is up-to-date.
Note: If the Password Sync Agent is down for any
length of time and misses a password change, these changes will not be
synced on recovery without either a new password change for the entry or the
use of pass-through authentication. The Password Sync Agent cannot be
pointed at multiple domain clusters.