Configure a one-way Sync Pipe with the Active Directory (AD) topology as the sync source and a PingDirectory Server topology as the Sync Destination.
Syncing from AD-LDS to PingDirectory is supported for all features except password syncing.
If you are syncing the lockoutTime
, userAccountControl &
(ACCOUNTDISABLE == 2)
, or pwdLastSet
AD attributes, or
the AD-LDS ms-DS-User-Account-Disabled
attribute, see Synchronizing Active Directory with PingDirectory.
The Password Sync Agent cannot be pointed at multiple domain clusters.
-
From the server-root directory, start PingDataSync.
$ <server-root>/bin/start-server
-
To set up the initial synchronization topology, run the sync
tool.
$ bin/create-sync-pipe-config
- In the Create Initial Synchronization Configuration menu, press Enter to continue the configuration.
-
In the Synchronization Mode menu, press Enter to accept the
default option
1
forStandard mode
. -
In the Synchronization Direction menu, press Enter to accept
the default option
1
forOne way
. -
In the Source Endpoint Type menu, enter option
7 for
Microsoft Active Directory
. -
In the Source Endpoint Name menu, enter a name for the
Microsoft AD source server, or press Enter to accept the default value of
Microsoft Active Directory Source
. -
In the <Source Server> Server
Security menu, press Enter to accept the default option
1
forSSL
security. -
In the <Source Server> Servers menu,
enter the host name and listener port for LDAP communication with the source server
in the format of <host name>:<port
number> and press Enter.
The Data Sync server attempts a connection to the AD source server. After adding the first server, you can add additional servers for the source endpoints that will be prioritized below the first server.
- When you have finished adding servers, press Enter to continue to the next configuration step.
-
In the Synchronization User Account for <Source
Server> menu, enter a user account distinguished name
(DN) for the source servers, or press Enter to accept the default value.
The account is used exclusively by the Data Sync Server to communicate with the source external servers.
-
Enter a password for the synchronization user account and press Enter.
Note:
The User Account DN password must meet the minimum password requirements for AD domains.
-
In the Destination Endpoint Type menu, press Enter to select
the default option
1
forPing Identity Directory Server
. -
In the Destination Endpoint Name menu, enter a name for your
destination endpoint, or press Enter to select the default value,
Ping Identity Directory Server Destination
. -
In the Base DNs for <Endpoint
Server> menu, enter a base DN where synchronized entries
can be found in your endpoint server, or press Enter to accept the default
value.
After your initial entry, you can add additional base DNs by following the prompts.
- When you have finished entering base DNs for synchronized entries, press Enter to continue the configuration.
- In the <Endpoint Server> Server Security menu, enter the option for the type of security that the Sync Server will use in communication with the endpoint server and press Enter.
-
In the <Endpoint Server> Servers
menu, enter the host name and port for LDAP communication in the format of
<host name>:<port
number> and press Enter.
The Data Sync server attempts a connection to the destination Directory Server endpoint. After adding the first server, you can add additional servers for the destination endpoints that will be prioritized below the first server.
- When you have finished adding servers, press Enter to continue to the next configuration step.
-
In the Synchronization User Account for <Endpoint
Server> menu, enter a DN for the synchronization user
account that will be used in communication with external servers, or press Enter to
accept the default value,
[cn=Sync User,cn=Root DNs,cn=config]
. - Enter a password for the synchronization user account and press Enter.
-
In the Prepare Server <Source
Server> menu, press Enter to accept the default option
1
forYes
to prepare the source server for synchronization. -
In the Prepare Server <Endpoint
Server> menu, press Enter to accept the default option
1
forYes
to prepare the endpoint server for synchronization. -
In the Sync Pipe Name menu, enter a name for the Sync Pipe
from the source server (AD) to the endpoint server (Ping Identity Directory Server),
or press Enter to select the default value,
Microsoft_Active_Directory_Source_to_Ping_Identity_Directory_Server_Destination
. -
In the Pre-configured Sync Class Configuration for Active Directory Sync
Source menu, follow the prompts to create the basic sync classes and
attribute mappings needed to synchronize user accounts, user passwords, and groups to
and from AD.
- To synchronize user Create, Modify, and Delete operations from AD, follow the prompts.
-
Enter the object class for user entries at the endpoint, or press Enter to
accept the default value,
inetOrgPerson
. -
To configure which password policy state attributes to synchronize, follow
the prompts.
For more information on the AD to PingDirectory password policy state attribute mappings, see Synchronizing Active Directory with PingDirectory.
Note:For the referenced password policy state attributes, AD is treated as the authoritative source because synchronization from PingDirectory to AD is not supported for those attributes.
Important:The password policy in PingDirectory must match the password in AD. For example, the
lockout-failure-count
in PingDirectory must match the account lockout threshold in AD. -
To create a DN map for users in the sync pipe, enter
yes and press Enter. To not create a DN map, press
Enter to accept the default option,
no
. - Review the list of basic mappings set up for synchronized user entries and follow the prompts to add any additional attribute mappings. Press Enter to continue.
- To synchronize group Create, Modify, and Delete operations from AD, follow the prompts.
-
In the Sync Pipe Sync Class Definitions menu, press Enter to
accept the
Microsoft Active Directory Source Users Sync Class
, or to create a new sync class name, enter a value and press Enter. -
Review the Configuration Summary and press Enter to write
the configuration file as displayed.
The server writes the configuration file to a dsconfig batch file.
- To apply the configuration changes to the local Data Sync Server, press Enter. To not apply the changes, enter no and press Enter.