Mapping AD password policy state attributes to PingDirectory using dsconfig - PingDirectory

Page created: 15 Jul 2022 |

Page updated: 20 Jan 2023

| 1 min read

9.2 Product PingDirectory

If you have a working sync configuration between PingDirectory and Active Directory (AD) (AD) and want to manage password policy state attributes, use dsconfig to map these attributes instead of re-running the sync tool.

To map AD password policy state attributes to PingDirectory attributes:

Run dsconfig with the create-attribute-mapping option.

The following example maps the AD attribute lockoutTime to the PingDirectory attribute pwdAccountLockedTime.

dsconfig create-attribute-mapping 
	--map-name "<Microsoft Active Directory Users Attribute Map>" 
	--mapping-name pwdAccountLockedTime
	--type direct
	--set from-attribute:pwdAccountLockedTimeFromAD

The following example maps the AD attribute userAccountControl & (ACCOUNTDISABLE == 2) to the PingDirectory attribute ds-pwp-account-disabled.

dsconfig create-attribute-mapping
	--map-name "<Microsoft Active Directory Users Attribute Map>"
	--mapping-name ds-pwp-account-disabled 
	--type direct
	--set from-attribute:ds-pwp-account-disabled-from-ad

The following example maps the AD attribute pwdLastSet to the PingDirectory attribute pwdChangedTime.

dsconfig create-attribute-mapping
	--map-name "<Microsoft Active Directory Users Attribute Map>" 
	--mapping-name pwdChangedTime
	--type direct
	--set from-attribute:pwdChangedTimeFromAD

Note:

For more information about synchronizing these AD attributes with PingDirectory, see Synchronizing Active Directory with PingDirectory.