To configure synchronization with Active Directory systems, the following tasks are performed:
- Enable SSL connections
- If synchronizing passwords between systems, synchronization with
Microsoft Active Directory systems requires that SSL be
enabled on the Active Directory domain controller, so that
can securely propagate the
cn=Sync Useraccount password and other user passwords to the target.
- Run the create-sync-pipe-config tool
- On the Ping Data Sync Server, use the create-sync-pipe-config tool to configure the Sync Pipes to communicate with the Active Directory source or target.
- Configure outbound password synchronization on an PingDirectory Server Sync Source
- After running the create-sync-pipe-config
tool, determine if outbound password synchronization from an
Sync Source is required. If so, enable the Password
Encryption component on all PingDirectory Server sources
that receive password modifications. The PingDirectory Server uses the
Password Encryption component, analogous to the Password
Sync Agent component, to intercept password modifications
and add an encrypted attribute,
ds-changelog-encrypted-password, to the changelog entry. The component enables passwords to be synchronized securely to the Active Directory system, which uses a different password storage scheme. The encrypted attribute appears in the change log and is synchronized to the other servers, but does not appear in the entries.
- Configure outbound password synchronization on an Active Directory Sync Source
- After running the create-sync-pipe-config tool, determine if outbound password synchronization from an Active Directory Sync Source is required. If so, install the Password Sync Agent (PSA) after configuring PingDataSync.
- Run the realtime-sync set-startpoint tool
- The realtime-sync set-startpoint command may take several minutes to run, because it must issue repeated searches of the Active Directory domain controller until it has paged through all the changes and receives a cookie that is up-to-date.
Note: The Password Sync Agent cannot be pointed at multiple domain clusters.
Note: If the Password Sync Agent is down for any length of time and misses a password change, these changes will not be synced on recovery without either a new password change for the entry or the use of pass-through authentication.