Use the create-sync-pipe-config utility to configure a Sync Pipe. Once the configuration is completed, settings can be adjusted using the dsconfig tool.


If servers have no base entries or data, the cn=Sync User,cn=Root DNs,cn=config account needed to communicate cannot be created. Make sure that base entries are created on the destination servers.

If synchronizing pre-encoded passwords to a Ping PingDirectory Server destination, allow pre- encoded passwords in the default password policy. Configure password encryption must also be configured on the destination. Be sure that the password encryption algorithm is supported by both source and destination servers with the following command:

$ bin/dsconfig set-password-policy-prop \
  --policy-name "Default Password Policy" \
  --set allow-pre-encoded-passwords:true

Encrypted and clear-text passwords can be synchronized by configuring the Sync Destination password-synchronization-format, and require-secure-connection-for-clear-text-passwords properties.


The require-secure-connection-for-clear-text-passwords property can be set to false when working in a test environment. If the password-synchronization-format property is set to clear-text, and require-secure-connection-for-clear-text-passwords property is set to true, the connection must be secure. If a secure connection is not available, an error is generated and the password is not synchronized.

Perform the following steps to configure PingDataSync Server by using create-sync-pipe-config:

  1. Start PingDataSync Server.
    $ <server-root>/bin/start-server
  2. From the bin directory,run the create-sync-pipe-config tool.
  3. On the Initial Synchronization Configuration Tool menu, press Enter (yes) to continue the configuration.
  4. On the Synchronization Mode menu, press Enter to select Standard Mode.
  5. On the Synchronization Directory menu, select oneway(1) or bidirectional(2) for the synchronization topology. This example assumes bidirectional synchronization.
  6. On the Source Endpoint Type menu, select the directory or database server for the first endpoint.
  7. On the Source Endpoint Name menu, type a name for the endpoint server, or press Enter to accept the default.
  8. On the Base DNs menu, type the base DN on the first endpoint topology where the entries will be searched. In this example, (dc=example,dc=com) is used.
  9. Select an option for the server security.
  10. Type the host name and listener port number for the source server, or accept the default. Make sure that the endpoint servers are online and running.
  11. Enter another server host and port, or press Enter to continue.
  12. Enter the SyncUser account DN for the endpoint servers, or press Enter to accept the default (cn=Sync User,cn=RootDNs,cn=config).
  13. Enter and confirm a password for this account.
  14. The servers in the destination endpoint topology can now be configured. Repeat steps 6– 13 to configure the second server.
  15. Define the maximum age of changelog log entries, or press Enter to accept the default.
  16. After the source and destination topologies are configured, PingDataSync Server will "prepare" each external server by testing the connection to each server. This step determines if each account has the necessary privileges (root privileges are required) to communicate with and transfer data to each endpoint during synchronization.
  17. Create a name for the Sync Pipe on the Sync Pipe Name menu, or press Enter to accept the default. Because this configuration is bidirectional, the following step is setting up a Sync Pipe path from the source endpoint to the destination endpoint. A later step will define another Sync Pipe from the PingDirectory Server to another server.
  18. On the SyncClass Definitions menu, type Yes to create a custom Sync Class. A Sync Class defines the operation types (creates, modifies, or deletes), attributes that are synchronized, how attributes and DNs are mapped, and how source and destination entries are correlated.
  19. Enter a name for the new Sync Class, such as "server1_to_server2."
  20. On the Base DNs for Sync Class menu, enter one or more base DNs to synchronize specific subtrees of a DIT. Entries outside of the specified base DNs are excluded from synchronization. Make sure the base DNs do not overlap.
  21. On the Filters for Sync Class menu, define one or more LDAP search filters to restrict specific entries for synchronization, or press Enter to accept the default (no). Entries that do not match the filters will be excluded from synchronization.
  22. On the Synchronized Attributes for Sync Class menu, specify which attributes will be automatically mapped from one system to another. This example will exclude the source attribute (email) from being auto-mapped to the target servers.
  23. On the Operations for Sync Class menu, select the operations that will be synchronized for the Sync Class, or press Enter to accept the default (1,2,3).
  24. Define a default Sync Class that specifies how the other entries are processed, or press Enter to create a Sync Class called "Default Sync Class."
  25. On the Default Sync Class Operations menu, specify the operations that the default Sync Class will handle during synchronization, or press Enter to accept the default.
  26. Define a Sync Pipe going from the PingDirectory Server to the Sun Directory Server and exclude the mail attribute from being synchronized to the other endpoint servers.
  27. Review the Sync Pipe Configuration Summary, and press Enter to accept the default (write configuration), which records the commands in a batch file (<server- root>/sync-pipe-cfg.txt). The batch file can be re-used to set up other topologies.
Apply the configuration changes to the local PingDataSync Server instance by using a dsconfig batch file. Any Server SDK extensions, should be saved to the <server-root>/lib/extensions directory.

The next step will be to configure the attribute mappings using the dsconfig command.