When you use the sync-pipe
tool to configure AD or AD-LDS as a one-way
sync with PingDirectory, three AD password policy state
attributes require user input to map to a corresponding PingDirectory attribute.
The following table shows these three attributes, the intermediate attribute that is formed between PingDirectory and AD (or AD-LDS), and the extended operation type used by the Directory Server to apply the change.
AD and AD-LDS attribute | Intermediate attribute | PingDirectory attribute | PasswordPolicyStateOperation opType |
---|---|---|---|
|
|
|
OP_TYPE_SET_AUTH_FAILURE_TIMES |
Note:
In AD-LDS, the corresponding attribute is
|
|
|
|
|
|
|
|
Intermediate attributes only exist in memory on the PingDataSync server so that they can be consumed for attribute mappings. They don't exist on either the AD server or on the PingDirectory server.
modifies-as-creates
By default, the modifies-as-creates
sync class property is set to
false
.
The above attributes might not be synchronized as expected when the following is true:
- You are using the
realtime-sync
tool. - The
modifies-as-creates
sync class property is set totrue
. - A modification is detected on the source endpoint to a missing entry on the destination endpoint.
- The modification is to attributes other than the three AD password policy state attributes previously mentioned.
To avoid this known issue, you can run the resync
tool instead of
the realtime-sync
tool. Using resync
will
correctly copy all attributes. For more information, see Resync tool.