Sync classes specify how to handle different kinds of entries read from the sync source when preparing to synchronize them to the sync destination.
When synchronizing to a System for Cross-domain Identity Management (SCIM) 2.0 server, you should have at least one sync class for each endpoint. The most important configuration properties you might need to specify include:
evaluation-order-index
- A numeric value that indicates the order in which the sync class should be evaluated relative to other classes that are associated with the same sync pipe. Each class should have a different index, and classes will be examined in ascending order from lowest index to highest. The first class that is appropriate for a given type of change (based on criteria like the base distinguished name (DN), filter, and change type) will be used. This is required, but if you only have a single sync class for a sync pipe, then you can just use the default value of 9999.
include-base-dn
- An optional base DN for source entries on which this sync class can operate. For example, if
you are synchronizing users from an LDAP server,
and if all of the users you want to synchronize are below
ou=People,dc=example,dc=com
, then you could use that as the base DN. include-filter
- An optional filter to use to determine which kinds of entries on which this sync class can
operate. If a source entry does not match this filter, the sync class will not
be used. For example, if the user entries you want to synchronize all have the
inetOrgPerson
object class, then you could use a filter of(objectClass=inetOrgPerson)
. attribute-map
- An optional attribute map to identify and convert source attributes for use in the destination entry.
auto-mapped-source-attribute
- A list of the attributes that should be automatically mapped from the source
entry to the destination (before any SCIM 2.0 attribute mapping is applied,
which might narrow down the set of attributes that will actually be used, and
which might apply additional transformations). This might be a list of specific
attribute names, but you can also use the special value
-all-
to indicate that all attributes from the source entry should be mapped to destination, or the value of-none-
to indicate that no attributes should be automatically mapped and that only those attributes referenced in theattribute-map
property should be included. This is required. synchronize-creates
- Indicates whether to attempt to synchronize new entries created in the sync
source to the destination. This property has a default value of
true
. synchronize-modifies
- Indicates whether to attempt to synchronize changes to existing entries created in the sync
source to the destination. This property has a default value of
true
. synchronize-deletes
- Indicates whether to attempt to synchronize entries removed from the sync source
to the destination. This property has a default value of
true
. attribute-comparison-method
- The method to use when comparing attributes between the source and destination versions of an entry to see if the value has changed. If specified, the value should be one of:
modifies-as-creates
- Indicates how the server should behave if an existing entry is modified in the
sync source, but no corresponding version of that entry is found in the sync
destination. By default, the value is
false
, and the synchronization operation will fail, leaving the entry absent from the destination. However, if this property is set to true, then the entry will be created in the destination. creates-as-modifies
- Indicates how the server should behave if a new entry is created in the sync
source, but a corresponding version of that entry already exists in the sync
destination. By default, the value is
false
, and the synchronization operation will fail, leaving the existing destination entry unchanged. However, if this property is set totrue
, then the source and destination versions of the entry will be compared, and the add might be converted into a modify if any differences are identified. plugin
- An optional set of plugins that can be invoked when mapping entries from the source to the destination.
You can use the following example configuration change to create a sync class:
dsconfig create-sync-class \
--pipe-name "LDAP Source to SCIMv2 Destination" \
--class-name "User Class" \
--set include-base-dn:ou=People,dc=example,dc=com \
--set include-filter:(objectClass=inetOrgPerson) \
--set auto-mapped-source-attribute:-all-