Sync classes specify how to handle different kinds of entries read from the sync source when preparing to synchronize them to the sync destination.
When synchronizing to a System for Cross-domain Identity Management (SCIM) 2.0 server, you should have at least one sync class for each endpoint. The most important configuration properties you might need to specify include:
- A numeric value that indicates the order in which the sync class should be evaluated relative to other classes that are associated with the same sync pipe. Each class should have a different index, and classes will be examined in ascending order from lowest index to highest. The first class that is appropriate for a given type of change (based on criteria like the base distinguished name (DN), filter, and change type) will be used. This is required, but if you only have a single sync class for a sync pipe, then you can just stick with the default value of 9999.
- An optional base DN for source entries on which this sync class can operate. For
example, you are synchronizing users from an LDAP
server, and if all of the users you want to synchronize are below
ou=People,dc=example,dc=com, then you could use that as the base DN.
- An optional filter to use to determine which kinds of entries on which this sync
class can operate. If a source entry does not match this filter, the sync class
will not be used. For example, if the user entries you want to synchronize all
inetOrgPersonobject class, then you could use a filter of
- An optional attribute map to identify and convert source attributes for use in the destination entry.
This is different from the SCIM 2.0 attribute mapping that will be used by the SCIM 2.0 sync destination in that it is more general and is not tied to any specific type of destination. In some advanced use cases, you might need to provide values for this property (especially if you need to apply transformations that SCIM 2.0 attribute mappings can’t do on their own), but in many cases, the
auto-mapped-source-attributeproperty will be sufficient.
- A list of the attributes that should be automatically mapped from the source
entry to the destination (before any SCIM 2.0 attribute mapping is applied,
which might narrow down the set of attributes that will actually be used, and
which might apply additional transformations). This might be a list of specific
attribute names, but you can also use the special value
-all-to indicate that all attributes from the source entry should be mapped to destination, or the value of
-none-to indicate that no attributes should be automatically mapped and that only those attributes referenced in the
attribute-mapproperty should be included. This is required.
- Indicates whether to attempt to synchronize new entries created in the sync
source to the destination. This property has a default value of
- Indicates whether to attempt to synchronize changes to existing entries created
in sync source to the destination. This property has a default value of
- Indicates whether to attempt to synchronize entries removed from the sync source
to the destination. This property has a default value of
- The method to use when comparing attributes between the source and destination versions of an entry to see if the value has changed. If specified, the value should be one of:
syntax-based– Uses the syntax and matching rules for the associated attribute type to determine whether a value has changed. This is the default behavior, and it might ignore changes that aren’t considered significant by the equality matching rule (for example, if the value differs only in its use of capitalization in an attribute that uses case-insensitive matching).
byte-for-byte– Uses a byte-for-byte comparison of the source and destination versions of each value to determine whether it was changed. Any difference in the value will be considered significant, even if it would not have been considered significant in accordance with the syntax and matching rules.
- Indicates how the server should behave if an existing entry is modified in the
sync source, but no corresponding version of that entry is found in the sync
destination. By default, the value is
false, and the synchronization operation will fail, leaving the entry absent from the destination. However, if this property is set to true, then the entry will be created in the destination.
- Indicates how the server should behave if a new entry is created in the sync
source, but a corresponding version of that entry already exists in the sync
destination. By default, the value is
false, and the synchronization operation will fail, leaving the existing destination entry unchanged. However, if this property is set to
true, then the source and destination versions of the entry will be compared, and the add might be converted into a modify if any differences are identified.
- An optional set of plugins that can be invoked when mapping entries from the source to the destination.
You can use the following example configuration change to create a sync class:
dsconfig create-sync-class \ --pipe-name "LDAP Source to SCIMv2 Destination" \ --class-name "User Class" \ --set include-base-dn:ou=People,dc=example,dc=com \ --set include-filter:(objectClass=inetOrgPerson) \ --set auto-mapped-source-attribute:-all-