If you have a working sync configuration between PingDirectory and Active Directory (AD) (AD) and want to manage
password policy state attributes, use dsconfig
to map these attributes
instead of re-running the sync tool.
To map AD password policy state attributes to PingDirectory attributes:
The following example maps the AD attribute lockoutTime
to
the PingDirectory attribute
pwdAccountLockedTime
.
dsconfig create-attribute-mapping
--map-name "<Microsoft Active Directory Users Attribute Map>"
--mapping-name pwdAccountLockedTime
--type direct
--set from-attribute:pwdAccountLockedTimeFromAD
The following example maps the AD attribute userAccountControl &
(ACCOUNTDISABLE == 2)
to the PingDirectory attribute
ds-pwp-account-disabled
.
dsconfig create-attribute-mapping
--map-name "<Microsoft Active Directory Users Attribute Map>"
--mapping-name ds-pwp-account-disabled
--type direct
--set from-attribute:ds-pwp-account-disabled-from-ad
The following example maps the AD attribute pwdLastSet
to
the PingDirectory attribute
pwdChangedTime
.
dsconfig create-attribute-mapping
--map-name "<Microsoft Active Directory Users Attribute Map>"
--mapping-name pwdChangedTime
--type direct
--set from-attribute:pwdChangedTimeFromAD
For more information about synchronizing these AD attributes with PingDirectory, see Synchronizing Active Directory with PingDirectory.