Important:

If servers have no base entries or data, the cn=Sync User,cn=Root DNs,cn=config account needed to communicate cannot be created. Make sure that base entries are created on the destination servers.

If synchronizing pre-encoded passwords to a PingDirectory Server destination, allow pre-encoded passwords in the default password policy. You must also configure password encryption on the destination. Make sure that the password encryption algorithm is supported by both source and destination servers with the following command:

$ bin/dsconfig set-password-policy-prop \
  --policy-name "Default Password Policy" \
  --set allow-pre-encoded-passwords:true

Encrypted and clear-text passwords can be synchronized by configuring the sync destination password-synchronization-format, and require-secure-connection-for-clear-text-passwords properties.

Note:

You can set the require-secure-connection-for-clear-text-passwords property to false when working in a test environment.

If the password-synchronization-format property is set to clear-text, and require-secure-connection-for-clear-text-passwords property is set to true, the connection must be secure.

If a secure connection is not available, an error is generated and the password is not synchronized.

To configure PingDataSync with the create-sync-pipe-config command:

  1. Start PingDataSync:
    $ <server-root>/bin/start-server
  2. From the bin directory,run the create-sync-pipe-config tool:
    $bin/create-sync-pipe-config
  3. In the Initial Synchronization Configuration Tool menu, press Enter (yes) to continue the configuration.
  4. In the Synchronization Mode menu, press Enter to select Standard Mode.
  5. In the Synchronization Directory menu, select oneway(1) or bidirectional(2) for the synchronization topology.

    This example assumes bidirectional synchronization.

  6. In the Source Endpoint Type menu, select the directory or database server for the first endpoint.
  7. In the Source Endpoint Name menu, type a name for the endpoint server, or press Enter to accept the default.
  8. In the Base DNs menu, enter the base distinguished name (DN) on the first endpoint topology where the entries will be searched.

    For example, dc=example,dc=com.

  9. Select an option for the server security.
  10. Enter the host name and listener port number for the source server, or accept the default.

    Make sure that the endpoint servers are online and running.

  11. Enter another server host and port, or press Enter to continue.
  12. Enter the SyncUser account DN for the endpoint servers, or press Enter to accept the default (cn=Sync User,cn=RootDNs,cn=config).
  13. Enter and confirm a password for this account.

    You can now configure the servers in the destination endpoint topology.

  14. Repeat steps 6– 13 to configure the second server.
  15. Define the maximum age of changelog log entries, or press Enter to accept the default.

    After you configure the source and destination topologies, PingDataSync prepares each external server by testing the connection to each server. Step 15 determines if each account has the necessary privileges (root privileges are required) to communicate with and transfer data to each endpoint during synchronization.

  16. In the Sync Pipe Name menu, create a name for the Sync Pipe, or press Enter to accept the default.

    Because this configuration is bidirectional, the following step is setting up a Sync Pipe path from the source endpoint to the destination endpoint. A later step will define another Sync Pipe from the PingDirectory Server to another server.

  17. In the SyncClass Definitions menu, enter Yes to create a custom Sync Class.

    A Sync Class defines the operation types (creates, modifies, or deletes), attributes that are synchronized, how attributes and DNs are mapped, and how source and destination entries are correlated.

  18. Enter a name for the new Sync Class, such as server1_to_server2.
  19. In the Base DNs for Sync Class menu, enter one or more base DNs to synchronize specific subtrees of a directory information tree (DIT).
    Note:

    Entries outside of the specified base DNs are excluded from synchronization. Make sure the base DNs do not overlap.

  20. In the Filters for Sync Class menu, define one or more LDAP search filters to restrict specific entries for synchronization, or press Enter to accept the default (no).

    Entries that do not match the filters will be excluded from synchronization.

  21. In the Synchronized Attributes for Sync Class menu, specify which user attributes will be automatically mapped from one system to another.

    This example will exclude the source attribute (email) from being auto-mapped to the target servers. Operational attributes will not be included in any attribute mapping.

  22. In the Operations for Sync Class menu, select the operations that will be synchronized for the Sync Class, or press Enter to accept the default (1,2,3).
  23. Define a default Sync Class that specifies how the other entries are processed, or press Enter to create a Sync Class called Default Sync Class.
  24. In the Default Sync Class Operations menu, specify the operations that the default Sync Class will handle during synchronization, or press Enter to accept the default.
  25. Define a Sync Pipe going from the PingDirectory Server to the Sun Directory Server and exclude the mail attribute from being synchronized to the other endpoint servers.
  26. Review the Sync Pipe Configuration Summary, and press Enter to accept the default (write configuration), which records the commands in a batch file (<server-root>/sync-pipe-cfg.txt).

    You can reuse the batch file to set up other topologies.

Apply the configuration changes to the local PingDataSync instance by using a dsconfig batch file. Any Server SDK extensions, should be saved to the <server-root>/lib/extensions directory.

The next step will be to configure the attribute mappings using the dsconfig command.