Page created: 15 Jul 2022
|
Page updated: 20 Jan 2023
| 3 min read
9.2 Product PingDirectory Directory Capability Product documentation Content Type Administration User task IT Administrator Administrator Audience System Administrator Software Deployment Method SCIM Standards, specifications, and protocols Configuration
Configure a Sync Pipe for LDAP to System for Cross-domain Identity Management (SCIM) synchronization, create Sync classes for the Sync Pipe, and set the evaluation order index for the Sync classes.
Note:
The Synchronization mode must be set to Standard. Notification Mode cannot be used with SCIM.
-
Once the source and destination endpoints are configured, configure the Sync Pipe
for LDAP to SCIM synchronization. Run the dsconfig command to
configure an LDAP-to-SCIM Sync Pipe:
$ bin/dsconfig create-sync-pipe \ --pipe-name ldap-to-scim \ --set sync-source:source \ --set sync-destination:scim -
The next set of steps define three Sync Classes. The first Sync Class is used to
match user entries in the Sync Source. The second class is used to match group
entries. The third class is a DEFAULT class that is used to match all other
entries.
Run the
dsconfigcommand to create the first Sync Class and set the Sync Pipe Name and Sync Class name:$ bin/dsconfig create-sync-class \ --pipe-name ldap-to-scim \ --class-name user -
Use
dsconfigto set the base distinguished name (DN) and filter for this Sync class. Theinclude-base-dnproperty specifies the base DN in the source, which isou=people,dc=example,dc=comby default. This Sync Class is invoked only for changes at theou=peoplelevel. The include-filter property specifies an LDAP filter that tells PingDataSync to includeinetOrgPersonentries as user entries. Thedestination-correlation-attributesspecifies LDAP attributes that allow PingDataSync to find the destination resource on the SCIM server. The value of this property will vary. See Identify a SCIM resource at the destination for details.$ bin/dsconfig set-sync-class-prop \ --pipe-name ldap-to-scim \ --class-name user \ --add include-base-dn:ou=people,dc=example,dc=com \ --add "include-filter:(objectClass=inetOrgPerson)" \ --set destination-correlation-attributes:externalId -
Create a second Sync class, which is used to match group entries:
$ bin/dsconfig create-sync-class \ --pipe-name ldap-to-scim \ --class-name group -
For the second Sync class, set the base DN and the filters to match the group
entries.
$ bin/dsconfig set-sync-class-prop \ --pipe-name ldap-to-scim \ --class-name group \ --add include-base-dn:ou=groups,dc=example,dc=com \ --add "include-filter:(|(objectClass=groupOfEntries)\ (objectClass=groupOfNames)(objectClass=groupOfUniqueNames)\ (objectClass=groupOfURLs))" -
For the third Sync class, create a DEFAULT Sync class that is used to match all
other entries. To synchronize changes from only user and group entries, set
synchronize-creates,synchronize-modifies, andsynchronize-deleteto false.$ bin/dsconfig create-sync-class \ --pipe-name ldap-to-scim \ --class-name DEFAULT \ --set evaluation-order-index:99999 \ --set synchronize-creates:false \ --set synchronize-modifies:false \ --set synchronize-deletes:false -
After all of the Sync classes needed by the Sync Pipe are configured, set the
evaluation order index for each Sync class. Classes with a lower number are evaluated
first. Run dsconfig to set the evaluation order index for the Sync
class. The actual number depends on the deployment.
$ bin/dsconfig set-sync-class-prop \ --pipe-name ldap-to-scim \ --class-name user \ --set evaluation-order-index:100