Ping Identity Data Sync Server Command-Line Tool Reference

Data Sync Server Documentation Index
Command-Line Tool Reference Home

resync

Description

A resync operation can be used to resynchronize a Sync Destination with the contents of the Sync Pipe's corresponding Sync Source.

The resync command operates on a single Sync Pipe at a time by retrieving entries from the Sync Source in bulk, comparing them with the corresponding entries at the Sync Destination, and if the entries are out-of-sync, acting according to the Synchronization Server configuration and command-line options. If the --dry-run option is specified, then resync only logs what is out-of-sync. Otherwise, if the entry is missing, then it is created, and if attributes are out-of-sync, then they are updated. Details of the resync operation are written to a log with a configurable level of verbosity.

The resync command can optionally take in a file which contains a specific list of source DNs to synchronize. With this option, base-level searches will be issued for each DN in the file, rather than a bulk subtree search for a batch of entries. This functionality allows for very fine-grained control of which entries get synchronized, and also gives the ability to retry resync for entries that failed on a previous attempt. On very large data sets, this can be a practical way to avoid several long-running resync jobs. Any entries that fail to synchronize are written to the file specified in the --failedDNsFile argument, which can then be passed in as the --sourceInputFile argument on a subsequent run. The 'sync-failed-dns' file in the logs directory, which contains the DNs of all entries that have failed to synchronize (even after retries), can also be used as an input file for resync.

Resync can also run against a RDBMS environment (i.e. if the source of the specified Sync Pipe is a JDBC Sync Source). In this case you must either specify the --entryType argument to identify which database entry type to resync, or the --sourceInputFile argument to identify a file containing data to pass to the extension. The Server SDK extension is responsible for listing out all the database entries of that type and fetching them into LDAP entries, which are then processed based on the rules of the matching Sync Class and the command-line options. Certain options such as --baseDN and --sourceSearchFilter, are not applicable for this type of resync and will have no effect. If a database is the destination of the Sync Pipe, then resync will behave just like it does with a normal directory-to-directory Sync Pipe, and all options may be used.

Entries synchronized from the Sync Source undergo the same filtering and mapping as during real-time synchronization. Entries are synchronized according to the settings in their matching Sync Class. The Sync Class controls what attribute and DN maps are used and whether entries at the destination are created or modified (this can be overridden with the --synchronizeCreates and --synchronizeModifies command-line options). If an entry does not match any Sync Class, then it will be dropped.

The resync command-line options give fine-grained control over what is synchronized. Specific Sync Classes can be included or excluded from synchronization. The set of source entries to be compared can be restricted using the --sourceSearchFilter option. Also, the set of attributes that are synchronized can be controlled by including or excluding both source and destination attributes from synchronization. Note: A destination attribute might depend on multiple source attributes (e.g., the 'initials' destination attribute might depend on both 'givenname' and 'sn' from the source), and a single source attribute might be used to construct the value of multiple destination attributes (e.g. 'givenname' at the source might be used to construct a value for both 'cn' and 'initials' at the destination). Including and excluding source attributes from resync can affect both of these scenarios. If a destination attribute depends on multiple source attributes, then all of those attributes must be included for synchronization (implicitly or explicitly) for that attribute to be updated.

The resync command is designed to function well in an environment where both the Sync Source and Sync Destination are actively being updated by other clients including the Synchronization Server synchronizing changes in real-time. There are a few options that are especially useful in these scenarios. When a value greater than one is provided with the --numPasses option, then resync rechecks out-of-sync entries multiple times to account for entries that are temporarily out-of-sync due to synchronization delays. The --dry-run option allows the administrator to preview any changes that would be applied by resync without updating the Sync Destination. Finally, the --ratePerSecond option can be used to limit the impact of the resync command on the end servers. By default, resync attempts to resynchronize the Sync Source and Sync Destination as quickly as possible, but this can have a performance impact on the servers. Explicitly setting the maximum resync rate of entries compared per second can limit this impact.

The resync command serves many purposes in a deployment.

When initially configuring a Sync Pipe with an empty Sync Destination, resync can be used to populate the Sync Destination with entries equivalent to the entries in the Sync Source before starting real-time synchronization. For very large deployments, it can be faster to export entries from the source into an LDIF file, run the translate-ldif tool to translate and filter the entries into the destination format, and then import the resulting LDIF file into the destination server.

Likewise, when initially configuring a Sync Pipe with a Sync Destination that already contains data, resync can be used to bring the Sync Destination in-sync with the Sync Source before starting real-time synchronization.

Running resync on a scheduled basis, for example nightly, can take the place of real-time synchronization in deployments where a synchronization delay is tolerable.

Running resync with the --dry-run option can be used to validate that real-time synchronization is behaving as expected. When coupled with the "--numPasses 3" option, for example, resync even avoids reporting entries that are only temporarily out-of-sync due to real-time synchronization delays.

If in an established deployment, the Data Sync Server is configured to only synchronize a subset of attributes from the Sync Source, then if that list of attributes is ever expanded, resync can be used to synchronize existing values of the newly added attributes in bulk.

Examples

The following example shows a basic invocation of resync that should be used when many entries are out-of-sync, including initially populating the destination or bulk synchronizing a newly configured attribute:

resync --pipe-name "Some Sync Pipe"

If a Sync Class is configured to not synchronize creation of new entries automatically, resync can be run periodically to create entries that were added since the last time resync was run. In the following example, resync creates missing users who were created in the source after 12:00pm on March 31, 2005 (GMT-06), presumably the last time a similar resync command was run. (Note the createTimeStamp and modifyTimeStamp attributes are stored in a "Generalized Time" format, which requires always specifying a timezone. With this query, the directory server still needs to process most entries, but only those matching the filter are sent to and processed by the Data Sync Server):

resync --pipe-name "Some Sync Pipe" --includeSyncClass Users \
     --sourceSearchFilter "(createTimeStamp>=200503311200-0600)" \
     --synchronizeCreates true --synchronizeModifies false

The resync command can be used to test out general configuration settings by determining how a given user would be mapped and synchronized with the current configuration. The following resync invocation dumps the user with a uid of some-test-user (assuming there is only one) from the Sync Source. Because the log level is set to debug, resync logs verbose details about the mapping and comparisons done for this entry to resync-debug.log. The Sync Destination is not updated because the --dry-run option is specified. The debug log level is also useful for determining why resync is not synchronizing entries as expected, but note that it must only be used when processing a few entries because of the high volume of log messages that it generates:

resync --pipe-name "Some Sync Pipe" --sourceSearchFilter "(uid=some-test-user)" \
     --dry-run --logFilePath resync-debug.log --logLevel debug

The resync command also gives explicit control over which attributes are included or excluded from synchronization. The following example will update all destination attributes that depend exclusively on the 'givenname' and 'sn' attributes except for the 'mail' attribute. (This example assumes that a constructed value attribute mapping has been defined that builds the 'mail' attribute from the source 'sn' and 'givenname' attributes, e.g. '{givenname}.{sn}@example.com'):

resync --pipe-name "Some Sync Pipe" --includeSourceAttr givenname \
     --includeSourceAttr sn --excludeDestinationAttr mail

This example shows the use of the --sourceInputFile argument against a directory server Sync Source. Only the DNs listed in this file will be retrieved from the directory and processed. The file must only contain DNs in LDIF format (i.e. "dn: cn=user1,dc=example,dc=com") and comment lines, which must start with a pound sign ('#'). DNs are allowed to be wrapped, and are assumed to be wrapped on any lines that begin with a space followed by text. Empty lines are ignored:

resync --pipe-name "Some Sync Pipe" --sourceInputFile sourceDNs.txt

The following example shows a basic invocation of resync for endpoints that are expected to be mostly in-sync. (Omit the --numPasses argument any time a large number of entries are expected to be out-of-sync to avoid having the command run out of memory.) The command dumps all of the entries from the source and compares any entries that are in any Sync Class to the corresponding destination entry. In-sync entries are left untouched. Out-of-sync or missing entries are recompared a total of three times to account for synchronization delays. If an entry is missing after three attempts, the command creates it. If the entry is out-of-sync, it will be updated to bring it in-sync (assuming this is permitted by the settings in the entry's Sync Class):

resync --pipe-name "Some Sync Pipe" --numPasses 3

This example shows the use of the --sourceInputFile argument against a JDBC Sync Source. The format of the file is up to the user, but usually it will contain a list of primary keys or SQL queries. The contents of the file are passed line-by-line into the listAllEntries() method of the JDBCSyncSource extension which is used for this Sync Pipe. This method can then process the input and return DatabaseChangeRecord instances based on the input from the file:

resync --pipe-name "Some Sync Pipe" --sourceInputFile sourceSQL.txt \
     --entryType ACCOUNTS

Arguments

-V
--version

Description

Display Data Sync Server version information

-H
--help

Description

Display general usage information

--help-debug

Description	Display help for using debug options
Advanced	Yes

-p {sync-pipe-name}
--pipe-name {sync-pipe-name}

Description	Name of the Sync Pipe to use when performing the resync
Required	Yes
Multi-Valued	No

--includeSyncClass {sync-class-name}

Description	Name of the Sync Class to perform the resync on. This option can be used to restrict the resync operation to specific Sync Classes. If it is omitted, then resync synchronizes all Sync Classes in the Sync Pipe
Required	No
Multi-Valued	Yes

--excludeSyncClass {sync-class-name}

Description	Name of the Sync Class to exclude from the resync operation. All Sync Classes in the Sync Pipe that are not excluded will be included in the resync
Required	No
Multi-Valued	Yes

--baseDN {base-dn}

Description	Specify the base DN to search for the resync operation. If this option is not specified then all the base DNs from the Sync Source will be searched
Required	No
Multi-Valued	No

--entryType {database-entry-type}

Description	When synchronizing from a database, this specifies the type of database entry to search for. This must match one of the configured entry types in the JDBCSyncSource
Required	No
Multi-Valued	No

--sourceSearchFilter {source-ldap-filter}

Description	Specify the LDAP filter for source entries to include in the resync operation. This only has an effect on sources that use LDAP. If this option is not specified then all entries from the source that match a Sync Class will be included in the resync operation
Required	No
Multi-Valued	No

--sourceSearchSCIMFilter {source-scim-filter}

Description	Specify the SCIM filter for source entries to include in the resync operation. This only has an effect on sources that support SCIM filters like the PingOne Sync Source. If this option is not specified then all entries from the source that match a Sync Class will be included in the resync operation
Required	No
Multi-Valued	No

--synchronizeModifies {true|false}

Description	Specify whether out-of-sync entries are always modified during the resync operation. If this option is not specified, then the synchronize-modifies property of the matching Sync Class determines whether a destination entry is modified
Required	No
Multi-Valued	No

--synchronizeCreates {true|false}

Description	Specify whether missing entries are always created during the resync operation. If this option is not specified, then the synchronize-creates property of the matching Sync Class determines whether a destination entry is created
Required	No
Multi-Valued	No

--includeSourceAttr {attribute}

Description	Restrict the set of source attributes that are synchronized to the destination. By default all source attributes are synchronized to the destination. If this option is specified, then only destination attributes dependent exclusively upon included source attributes will be modified
Required	No
Multi-Valued	Yes

--excludeSourceAttr {attribute}

Description	Restrict the set of source attributes that are synchronized to the destination. By default all source attributes are synchronized to the destination. If this option is specified, then all destination attributes will be synchronized except those that depend on the specified source attributes
Required	No
Multi-Valued	Yes

--includeDestinationAttr {attribute}

Description	Restrict the set of destination attributes that are synchronized. By default all destination attributes are synchronized. If this option is specified, then only the destination attributes specified with this option will be modified
Required	No
Multi-Valued	Yes

--excludeDestinationAttr {attribute}

Description	Restrict the set of destination attributes that are synchronized. By default all destination attributes are synchronized. If this option is specified, then all destination attributes are synchronized except those specified with this option
Required	No
Multi-Valued	Yes

--dry-run

Description

Do not modify anything at the destination, but report via the status and the log file what is out-of-sync

--numPasses {num-passes}

Description	Specify the total number of times to compare an entry that is out-of-sync to account for synchronization delays. If both servers are quiescent, then a value of 1 can be provided. If either server is actively being modified, a larger value for this attribute might prevent false positives. For example, an entry reported as out-of-sync when in fact a modification to it has not yet synchronized. If a value greater than 1 is specified and a very large number of entries are out-of-sync, then the resync process might run out of memory since between passes it buffers in memory a small amount of information about each entry
Lower Bound	1
Upper Bound	100
Default Value	1
Required	No
Multi-Valued	No

--secondsBetweenPass {seconds}

Description	Specify the number of seconds to wait between each pass of rechecking entries that were out-of-sync in the hope that they are only temporarily out-of-sync due to synchronization delays
Lower Bound	0
Upper Bound	1000
Default Value	5
Required	No
Multi-Valued	No

-Q
--quiet

Description

Use quiet mode

-r {comparisons-per-second}
--ratePerSecond {comparisons-per-second}

Description	Specify the target number of resync comparisons to perform per second. This can be used to throttle resync, reducing its load on the end servers. If this option is not provided, then the max-rate-per-second configuration setting on the Sync Pipe will be used. If neither is specified, then the tool will run at the maximum rate for the specified number of threads
Lower Bound	1
Upper Bound	100000
Required	No
Multi-Valued	No

--ratePerSecondFile {target-rate-file}

Description	Path to a file that contains the target rate per second. The resync command will target the rate specified in this file and will adjust its rate if the rate in the file changes. This option should only be used in place of the --ratePerSecond option if the rate needs to change during the resync run, for instance, if a resync of a very large dataset needs to be reduced during peak hours
Required	No
Multi-Valued	No

-t {num-threads}
--numThreads {num-threads}

Description	Specify the number of threads to use when comparing entries during resync. Changing the number of threads can affect the throughput of resync as well as the performance impact on the end systems. When either of the endpoints is a database, be careful that the number of threads does not exceed the max connection pool size (configured on the JDBCSyncSource or JDBCSyncDestination). If this option is not provided, then the tool will use a default of 20 threads
Lower Bound	1
Upper Bound	1000
Default Value	20
Required	No
Multi-Valued	No

-o {resync-log-file}
--logFilePath {resync-log-file}

Description	Path to the file where details of the resync operation are logged (the default location is under /logs/tools)
Default Value	resync.log
Required	No
Multi-Valued	No

-L {log-level}
--logLevel {log-level}

Description	Specify the resync log level that controls the amount of logging. Available options are ['none': No logging is performed]; ['out-of-sync-summary': A single summary message is logged for each missing or out-of-sync entry]; ['out-of-sync-detailed': A single detailed message, including the source and destination entry contents, is logged]; ['all-entries-summary': Multiple summary messages are logged for every entry that is loaded or compared. The contents of the entries are not logged]; ['all-entries-detailed': Multiple detailed messages are logged for every entry that is loaded or compared. The contents of the entries are included. Choosing this level can have an impact on performance and can result in a large output file if many entries are synchronized]; ['debug': Multiple verbose messages are logged for every entry that is loaded or compared. The contents of the entries are included during various stages of processing. This option should be reserved for diagnosing problems as it can drastically slow performance and generate a very large volume of log data]. The default is out-of-sync-summary
Default Value	out-of-sync-summary
Required	No
Multi-Valued	No

--sourceInputFile {source-input-file}

Description	Path to a file that contains a specific list of identifiers from the Sync Source that resync should consider. This can be used instead of the default bulk-search functionality. For LDAP Sync Sources, this file should contain a list of DNs; for JDBC Sync Sources, the data may be in a user-defined format since it will be consumed by a JDBC Sync Source extension
Required	No
Multi-Valued	No

-F {failed-dn-file}
--failedDNsFile {failed-dn-file}

Description	Path to a file that will contain a list of DNs from the Sync Source that failed to synchronize for any reason (the default location is under /logs/tools). This file can later be used in the --sourceInputFile argument to retry synchronization of only the entries that failed on a previous attempt
Default Value	resync-failed-DNs.log
Required	No
Multi-Valued	No

--consoleLogFilePath {consoleLogFilePath}

Description	Echo the console output to the specified log file, instead of the default '/logs/tools/resync-errors.log' file
Required	No
Multi-Valued	No