Syncing from AD-LDS to PingDirectory is supported for all features except password syncing.

Important:

If you are syncing the lockoutTime, userAccountControl & (ACCOUNTDISABLE == 2), or pwdLastSet AD attributes, or the AD-LDS ms-DS-User-Account-Disabled attribute, see Synchronizing Active Directory with PingDirectory.

Note:

The Password Sync Agent cannot be pointed at multiple domain clusters.

  1. From the server-root directory, start PingDataSync.
    $ <server-root>/bin/start-server
  2. To set up the initial synchronization topology, run the sync tool.
    $ bin/create-sync-pipe-config
  3. In the Create Initial Synchronization Configuration menu, press Enter to continue the configuration.
  4. In the Synchronization Mode menu, press Enter to accept the default option 1 for Standard mode.
  5. In the Synchronization Direction menu, press Enter to accept the default option 1 for One way.
  6. In the Source Endpoint Type menu, enter option 7 for Microsoft Active Directory.
  7. In the Source Endpoint Name menu, enter a name for the Microsoft AD source server, or press Enter to accept the default value of Microsoft Active Directory Source.
  8. In the <Source Server> Server Security menu, press Enter to accept the default option 1 for SSL security.
  9. In the <Source Server> Servers menu, enter the host name and listener port for LDAP communication with the source server in the format of <host name>:<port number> and press Enter.

    The Data Sync server attempts a connection to the AD source server. After adding the first server, you can add additional servers for the source endpoints that will be prioritized below the first server.

  10. When you have finished adding servers, press Enter to continue to the next configuration step.
  11. In the Synchronization User Account for <Source Server> menu, enter a user account distinguished name (DN) for the source servers, or press Enter to accept the default value.

    The account is used exclusively by the Data Sync Server to communicate with the source external servers.

  12. Enter a password for the synchronization user account and press Enter.
    Note:

    The User Account DN password must meet the minimum password requirements for AD domains.

  13. In the Destination Endpoint Type menu, press Enter to select the default option 1 for Ping Identity Directory Server.
  14. In the Destination Endpoint Name menu, enter a name for your destination endpoint, or press Enter to select the default value, Ping Identity Directory Server Destination.
  15. In the Base DNs for <Endpoint Server> menu, enter a base DN where synchronized entries can be found in your endpoint server, or press Enter to accept the default value.

    After your initial entry, you can add additional base DNs by following the prompts.

  16. When you have finished entering base DNs for synchronized entries, press Enter to continue the configuration.
  17. In the <Endpoint Server> Server Security menu, enter the option for the type of security that the Sync Server will use in communication with the endpoint server and press Enter.
  18. In the <Endpoint Server> Servers menu, enter the host name and port for LDAP communication in the format of <host name>:<port number> and press Enter.

    The PingDataSync server attempts a connection to the destination PingDirectory server endpoint. After adding the first server, you can add additional servers for the destination endpoints that will be prioritized below the first server.

  19. When you have finished adding servers, press Enter to continue to the next configuration step.
  20. In the Synchronization User Account for <Endpoint Server> menu, enter a DN for the synchronization user account that will be used in communication with external servers, or press Enter to accept the default value, [cn=Sync User,cn=Root DNs,cn=config].
  21. Enter a password for the synchronization user account and press Enter.
  22. In the Prepare Server <Source Server> menu, press Enter to accept the default option 1 for Yes to prepare the source server for synchronization.
  23. In the Prepare Server <Endpoint Server> menu, press Enter to accept the default option 1 for Yes to prepare the endpoint server for synchronization.
  24. In the Sync Pipe Name menu, enter a name for the Sync Pipe from the source server (AD) to the endpoint server (PingDirectory server), or press Enter to select the default value, Microsoft_Active_Directory_Source_to_Ping_Identity_Directory_Server_Destination.
  25. In the Pre-configured Sync Class Configuration for Active Directory Sync Source menu, follow the prompts to create the basic sync classes and attribute mappings needed to synchronize user accounts, user passwords, and groups to and from AD.
    1. To synchronize user Create, Modify, and Delete operations from AD, follow the prompts.
    2. Enter the object class for user entries at the endpoint, or press Enter to accept the default value, inetOrgPerson.
    3. To configure which password policy state attributes to synchronize, follow the prompts.

      For more information on the AD to PingDirectory password policy state attribute mappings, see Synchronizing Active Directory with PingDirectory.

      Note:

      For the referenced password policy state attributes, AD is treated as the authoritative source because synchronization from PingDirectory to AD is not supported for those attributes.

      Important:

      The password policy in PingDirectory must match the password in AD. For example, the lockout-failure-count in PingDirectory must match the account lockout threshold in AD.

    4. To create a DN map for users in the sync pipe, enter yes and press Enter. To not create a DN map, press Enter to accept the default option, no.
    5. Review the list of basic mappings set up for synchronized user entries and follow the prompts to add any additional attribute mappings. Press Enter to continue.
    6. To synchronize group Create, Modify, and Delete operations from AD, follow the prompts.
  26. In the Sync Pipe Sync Class Definitions menu, press Enter to accept the Microsoft Active Directory Source Users Sync Class, or to create a new sync class name, enter a value and press Enter.
  27. Review the Configuration Summary and press Enter to write the configuration file as displayed.

    The server writes the configuration file to a dsconfig batch file.

  28. To apply the configuration changes to the local Data Sync Server, press Enter. To not apply the changes, enter no and press Enter.