Considerations

There are three key considerations when synchronizing between AD and PingDirectory:

The realtime-sync tool
The realtime-sync tool uses the AD DirSync control to detect changes on entries, which requires the control to be searched at the top of the directory information tree (DIT). Because of this, you must point your AD Sync Source to the top of the AD tree for realtime-sync to work.
Distinguished name (DN) mapping
The AD Sync Source must be pointed at the top of the DIT, but not every branch under the top of the tree can be easily synchronized.

For example, cn=Users is a container organizational unit (OU) that doesn't easily convert into a standard OU. Likewise, cn=Builtin is a top-level domain that also contains built-in groups without a purpose in PingDirectory and that don't need to be synchronized.

To avoid synchronizing entries that are native and apply only to AD, point your Sync Classes at specific OUs.

Schema and attribute mappingattribute mapping Matching corresponding attributes between an IdP and an SP to identify federated users or add supplemental user information.
The schema between AD and PingDirectory is not a 1:1 relationship, which means that not all attributes can be directly synchronized.

The following attributes are among those that can be directly synchronized:

  • cn
  • sn
  • mail

Other attributes, such as the AD attribute {{samAccountName}} aren't defined in PingDirectory by default, and if you don't define schema for the attribute, you can map it to a similar attribute such as the PingDirectory uid attribute. You should create attribute mappings for each attribute that you want to synchronize between AD and PingDirectory.

Configuration information

For configuration information and procedures for synchronization between PingDirectory server or other LDAPLDAP (Lightweight Directory Access Protocol) An open, cross platform protocol used for interacting with directory services. source servers or targets with Microsoft AD systems, see the following: