An Generic LDAP Sync Destination defines the destination of a Sync Pipe that is a topology of directory servers that are LDAPv3.
The Generic LDAP Sync Destination component inherits from the LDAP Sync Destination
The following components have a direct aggregation relation from Generic LDAP Sync Destinations:
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| description | response-timeout |
| base-dn | max-failover-error-code-frequency |
| password-synchronization-format | plugin |
| server | require-secure-connection-for-clear-text-passwords |
| Description | A description for this Sync Destination |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the base DNs of the servers referenced by this Sync Destination. These base DNs are used as the base of LDAP searches when locating entries. These base DNs must not overlap. |
| Default Value | None |
| Allowed Values | A valid DN. |
| Multi-Valued | Yes |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
password-synchronization-format
| Description | Specifies the format for password synchronization values. This only applies to Sync Classes that have been configured to synchronize the userPassword attribute. By default passwords will be synchronized in their pre-encoded format; which is the most secure option. For LDAP servers that do not support modifying the userPassword attribute with a pre-encoded value, this option can be configured to synchronize passwords as clear-text. Clear-text password synchronization is only available when the source is a Ping Identity Directory Server instance. |
| Default Value | pre-encoded |
| Allowed Values | pre-encoded - This is the most secure option and simplest to configure, but it requires the LDAP server to support pre-encoded passwords. clear-text - This must be chosen when the LDAP server does not support pre-encoded passwords. This requires additional configuration steps. Refer to the admin guide for more details. Clear-text passwords cannot be synchronized with the resync command. Use require-secure-connection-for-clear-text-passwords for further configuration. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the names of the generic LDAP instances that should be used as the destination of synchronization. The order of values is important as it is used as a priority order for failover. When a location is defined on the Data Sync Server, it will always prefer to fail over to external servers in that same location or in one of the preferred failover locations for that location. If there are multiple external servers available in the target location, then the Data Sync Server will prefer the earliest one in this list and then work its way down. If there is no location defined on the Data Sync Server or if there are no external servers configured in the target location or any of the preferred failover locations, then the Data Sync Server will work its way down the list of servers in the order they are listed here. |
| Default Value | None |
| Allowed Values | The DN of any LDAP External Server. |
| Multi-Valued | Yes |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
response-timeout (Advanced Property)
| Description | Specifies the maximum length of time that an operation should be allowed to block while waiting for a response from the server. A value of zero indicates that there should be no client-side timeout; the server's default will be used. This property indicates how long the Data Sync Server should wait for a response from a search/add/modify/delete request to a destination server before failing with LDAP result code 85 (client-side timeout). When this happens, the Sync Destination will retry the request according to the max-failover-error-code-frequency property before failing over to a different destination server and performing the retry there. The total number of retries will not exceed the max-operation-attempts value defined in the Sync Pipe configuration. |
| Default Value | 1 m |
| Allowed Values | A duration. Lower limit is 0 milliseconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
max-failover-error-code-frequency (Advanced Property)
| Description | This property controls the frequency of how often a given LDAP error code may be encountered on a connection before the Data Sync Server fails over to a different destination server. This allows the retry logic to be tuned, so that retries can be performed once on the same server before giving up and trying another server. The value can be set to zero if there is no acceptable error code frequency and failover should happen immediately. It can also be set to a very small value (such as 10 ms) if a high frequency of error codes is tolerable. As an example, if the value is set to 3 minutes, this says that a TIMEOUT error code from the currently connected server will not trigger a failover unless there was another TIMEOUT from the same server within the last 3 minutes. This property applies to all LDAP result codes except the following:
|
| Default Value | 3 m |
| Allowed Values | A duration. Lower limit is 0 milliseconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies sync destination plugins that should be applied to operations that are synchronized by this LDAP Sync Destination. If multiple plugins are provided, then they will be invoked in the order they are specified. |
| Default Value | None |
| Allowed Values | The DN of any LDAP Sync Destination Plugin. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
require-secure-connection-for-clear-text-passwords (Advanced Property)
| Description | Specifies whether or not clear-text password synchronization requires a secure connection. The default value is true. This setting only has an effect if the password-synchronization-format configuration value is set to clear-text. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | When this is set to false, passwords are sent over the network in the clear, so they can be snooped by other network devices. Setting this to false is only recommended for test environments or on networks that are otherwise protected from snooping. |
To list the configured Sync Destinations:
dsconfig list-sync-destinations
[--property {propertyName}] ...
To view the configuration for an existing Sync Destination:
dsconfig get-sync-destination-prop
--destination-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Sync Destination:
dsconfig set-sync-destination-prop
--destination-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Generic LDAP Sync Destination:
dsconfig create-sync-destination
--destination-name {name}
--type generic
--set base-dn:{propertyValue}
--set server:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing Sync Destination:
dsconfig delete-sync-destination
--destination-name {name}