Configure the sync pipe, sync classes, and evaluation order - PingDirectory - PingDataSync - 9.2

PingDirectory 9.2
bundle
pingdirectory-92
ft:publication_title
PingDirectory 9.2
Product_Version_ce
PingDirectory 9.2
category
Product
pd-92
pingdirectory
ContentType_ce

Configure a Sync Pipe for LDAPLDAP (Lightweight Directory Access Protocol) An open, cross platform protocol used for interacting with directory services. to System for Cross-domain Identity Management (SCIM)System for Cross-domain Identity Management (SCIM)SCIM An application-level, HTTP-based protocol for provisioning and managing user identity information. SCIM supplies a common schema for representing users and groups and provides a REST API. synchronization, create Sync classes for the Sync Pipe, and set the evaluation order index for the Sync classes.

Note:

The Synchronization mode must be set to Standard. Notification Mode cannot be used with SCIM.

  1. Once the source and destination endpoints are configured, configure the Sync Pipe for LDAP to SCIM synchronization. Run the dsconfig command to configure an LDAP-to-SCIM Sync Pipe: 
    $ bin/dsconfig create-sync-pipe \
  --pipe-name ldap-to-scim \
  --set sync-source:source \
  --set sync-destination:scim
  2. The next set of steps define three Sync Classes. The first Sync Class is used to match user entries in the Sync Source. The second class is used to match group entries. The third class is a DEFAULT class that is used to match all other entries.

    Run the dsconfig command to create the first Sync Class and set the Sync Pipe Name and Sync Class name:

    $ bin/dsconfig create-sync-class \
  --pipe-name ldap-to-scim \
  --class-name user
  3. Use dsconfig to set the base distinguished name (DN)distinguished name (DN)DN A name uniquely identifying an object within the hierarchy of a directory tree. and filter for this Sync class. The include-base-dn property specifies the base DN in the source, which is ou=people,dc=example,dc=com by default. This Sync Class is invoked only for changes at the ou=people level. The include-filter property specifies an LDAP filter that tells PingDataSync to include inetOrgPerson entries as user entries. The destination-correlation-attributes specifies LDAP attributes that allow PingDataSync to find the destination resource on the SCIM server. The value of this property will vary. See Identify a SCIM resource at the destination for details. 
    $ bin/dsconfig set-sync-class-prop \
  --pipe-name ldap-to-scim \
  --class-name user \
  --add include-base-dn:ou=people,dc=example,dc=com \
  --add "include-filter:(objectClass=inetOrgPerson)" \
  --set destination-correlation-attributes:externalId
  4. Create a second Sync class, which is used to match group entries: 
    $ bin/dsconfig create-sync-class \
  --pipe-name ldap-to-scim \
  --class-name group
  5. For the second Sync class, set the base DN and the filters to match the group entries. 
    $ bin/dsconfig set-sync-class-prop \
  --pipe-name ldap-to-scim \
  --class-name group \
  --add include-base-dn:ou=groups,dc=example,dc=com \
  --add "include-filter:(|(objectClass=groupOfEntries)\
    (objectClass=groupOfNames)(objectClass=groupOfUniqueNames)\
    (objectClass=groupOfURLs))"
  6. For the third Sync class, create a DEFAULT Sync class that is used to match all other entries. To synchronize changes from only user and group entries, set synchronize-creates, synchronize-modifies, and synchronize-delete to false. 
    $ bin/dsconfig create-sync-class \
  --pipe-name ldap-to-scim \
  --class-name DEFAULT \
  --set evaluation-order-index:99999 \
  --set synchronize-creates:false \
  --set synchronize-modifies:false \
  --set synchronize-deletes:false
  7. After all of the Sync classes needed by the Sync Pipe are configured, set the evaluation order index for each Sync class. Classes with a lower number are evaluated first. Run dsconfig to set the evaluation order index for the Sync class. The actual number depends on the deployment. 
    $ bin/dsconfig set-sync-class-prop \
  --pipe-name ldap-to-scim \
  --class-name user \
  --set evaluation-order-index:100