Mapping AD password policy state attributes to PingDirectory using dsconfig - PingDataSync - PingDirectory

Mapping AD password policy state attributes to PingDirectory using dsconfig - PingDataSync - PingDirectory - 9.2

PingDirectory 9.2

bundle

pingdirectory-92

ft:publication_title

PingDirectory 9.2

Product_Version_ce

PingDirectory 9.2

category

Product

pd-92

pingdirectory

ContentType_ce

If you have a working sync configuration between PingDirectory and Active Directory (AD) (AD) and want to manage password policy state attributes, use dsconfig to map these attributes instead of re-running the sync tool.

To map AD password policy state attributes to PingDirectory attributes:

Run dsconfig with the create-attribute-mapping option.

The following example maps the AD attribute lockoutTime to the PingDirectory attribute pwdAccountLockedTime.

dsconfig create-attribute-mapping 
	--map-name "<Microsoft Active Directory Users Attribute Map>" 
	--mapping-name pwdAccountLockedTime
	--type direct
	--set from-attribute:pwdAccountLockedTimeFromAD

The following example maps the AD attribute userAccountControl & (ACCOUNTDISABLE == 2) to the PingDirectory attribute ds-pwp-account-disabled.

dsconfig create-attribute-mapping
	--map-name "<Microsoft Active Directory Users Attribute Map>"
	--mapping-name ds-pwp-account-disabled 
	--type direct
	--set from-attribute:ds-pwp-account-disabled-from-ad

The following example maps the AD attribute pwdLastSet to the PingDirectory attribute pwdChangedTime.

dsconfig create-attribute-mapping
	--map-name "<Microsoft Active Directory Users Attribute Map>" 
	--mapping-name pwdChangedTime
	--type direct
	--set from-attribute:pwdChangedTimeFromAD

Note:

For more information about synchronizing these AD attributes with PingDirectory, see Synchronizing Active Directory with PingDirectory.