These steps aren't required for the following scenarios:

  • Synchronizing from AD to a PingDirectory server
  • Excluding password synchronization
  1. On the PingDirectory server that will receive the password modifications, enable the Change Log Password Encryption component. The component intercepts password modifications, encrypts the password and adds an encrypted attribute, ds-changelog- encrypted-password, to the change log entry. The encryption key can be copied from the output if displayed, or accessed from the <serverroot>/bin/sync-pipe-cfg.txt file.
    $ bin/dsconfig set-plugin-prop --plugin-name "Changelog Password
    Encryption" \
      --set enabled:true \
      --set changelog-password-encryption-key:<key>
  2. On PingDataSync, set the decryption key used to decrypt the user password value in the change log entries. The key allows the user password to be synchronized to other servers that do not use the same password storage scheme.
    $ bin/dsconfig set-global-sync-configuration-prop \
      --set changelog-password-decryption-key:ej5u9e39pqo68

Test the configuration or populate data in the destination servers using the bulk comparison capability of the resync tool. Then, use the realtime-sync tool to start synchronizing the data. If synchronizing passwords, install the Password Sync Agent (PSA) on all of the domain controllers in the topology.


To synchronize passwords from PingDirectory to AD, you must use the realtime-sync tool. The resync tool isn't supported for this operation.