Global Sync Configuration

Global Sync Configuration contains the properties that affect the overall operation of Sync with Data Sync Server.

Relations from This Component Properties dsconfig Usage

Relations from This Component

The following components have a direct aggregation relation from Global Sync Configurations:

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
 started  None
 changelog-password-decryption-key
 changelog-password-decryption-key-passphrase-provider
 sync-failover-polling-interval
 sync-failover-connection-timeout
 sync-failover-response-timeout
 log-redaction-regex

Basic Properties

started

Description
Indicates whether the Sync is running. When set to false, all synchronization is stopped globally. When set to true, all synchronization is started for all Sync Pipes that are enabled.
Default Value
true
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

changelog-password-decryption-key

Description
The passphrase used to generate the key used to encrypt passwords stored in the changelog. This enables the Data Sync Server to synchronize passwords to other types of endpoints which do not use the same password storage scheme as the Ping Identity Directory Server. Passwords are initially encrypted using the encryption password specified on the Changelog Backend of the server receiving the change. There can be multiple values for this property, because you may opt to use different encryption keys on different Directory Server environments. The Data Sync Server can match encrypted passwords with the keys that were used to encrypt them, so it is safe to specify several different values here.
Default Value
None
Allowed Values
A string
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

changelog-password-decryption-key-passphrase-provider

Description
A passphrase provider that may be used to obtain the passphrase used to generate the key used to encrypt passwords stored in the changelog. This enables the Data Sync Server to synchronize passwords to other types of endpoints which do not use the same password storage scheme as the Ping Identity Directory Server. Passwords are initially encrypted using the encryption password specified on the Changelog Backend of the server receiving the change. There can be multiple values for this property, because you may opt to use different encryption keys on different Directory Server environments. The Data Sync Server can match encrypted passwords with the keys that were used to encrypt them, so it is safe to specify several different values here.
Default Value
None
Allowed Values
The DN of any Passphrase Provider.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

sync-failover-polling-interval

Description
The amount of time (in milliseconds) this server will wait between polls of the other servers in the Data Sync Server topology. A lower value will make for a quicker failover in the event of a failure, but it will also cause more frequent traffic among the Data Sync Servers.
Default Value
5000
Allowed Values
An integer value. Lower limit is 1.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

sync-failover-connection-timeout

Description
The duration of time this server will wait to establish a connection to other servers in the Data Sync Server topology for failover detection. A lower value will make for a quicker failover in the event of a failure.
Default Value
10 s
Allowed Values
A duration. Lower limit is 1 seconds.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

sync-failover-response-timeout

Description
The duration of time this server will wait for a response over an established connection from other servers in the Data Sync Server topology for failover detection. A lower value will make for a quicker failover in the event of a failure.
Default Value
30 s
Allowed Values
A duration. Lower limit is 1 seconds.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

log-redaction-regex

Description
A pattern that when matched produces replacement text for sensitive log messages. This can be used to redact passwords, credit card numbers and other sensitive data. Log messages are redacted by replacing text that matches a specified regular expression with specified replacement text. The regular expression may contain groups that then may be referenced by back references in the replacement. The way the regular expression is interpreted may be altered by specifying flags.

The java.util.regex.Pattern and java.util.regex.Matcher classes are used to perform the substitution. The regular expression with replacement value uses syntax '/regex/replacement/flags' where:

  • 'regex' is a regular expression using the syntax described in the java.util.regex.Pattern javadoc.
  • 'replacement' is replacement text for text matched by 'regex'. The replacement text may contain back references ($1, $2,etc.) to groups in 'regex'.
  • 'flags' is a list of letters each of which activates one of the flags in the java.util.regex.Pattern class. The flags have the following meanings:
  • 'd' : the regex pattern is compiled with Pattern.UNIX_LINES.
  • 'i' : the regex pattern is compiled with Pattern.CASE_INSENSITIVE.
  • 'x' : the regex pattern is compiled with Pattern.COMMENTS.
  • 'm' : the regex pattern is compiled with Pattern.MULTILINE.
  • 's' : the regex pattern is compiled with Pattern.DOTALL.
  • 'u' : the regex pattern is compiled with Pattern.UNICODE_CASE.
  • 'U' : the regex pattern is compiled with Pattern.UNICODE_CHARACTER_CLASS
The substitution value is constructed using Java code equivalent to:

Pattern pattern = Pattern.compile(regex, flags);
Matcher matcher = pattern.matcher(originalMessage);
String redactedMessage = matcher.replaceAll(replacement);

Here is an example to summarize these points. Suppose, attribute 'ssn' has values that need to be redacted. It's multi-valued to allow for people that have more than one SSN. The modify LDIF might contain:
ssn: 111-22-3333
SSN: 444-55-6666
ssn:777-88-9999
Note that the second attribute name is made up of capital letters and that the last row does not contain a space after the colon, so both variations needs to be accommodated by the regex.

The goal is to replace the first five digits with '0' in order to hide the full value, but then to preserve the last four digits. Here's the above example after redaction:
ssn: 000-00-3333
SSN: 000-00-6666
ssn:000-00-9999
The above could be accomplished with the following pattern:
/\b(ssn:\s*)\d{3}-\d{2}-(\d{4})/$1000-00-$2/i
The '\b' matches a word boundary, so an attribute name that ends with 'ssn' will not match. The '\d' matches the number of digits specified in the '{}'. The '$1000' is actually '$1' followed by a literal '000'. Flag 'i' is used so that the upper case 'SSN' is matched as well. All three rows are matched even if they occur in a single log message.

Default Value
None
Allowed Values
The pattern used to redact log messages.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To view the Global Sync Configuration configuration:

dsconfig get-global-sync-configuration-prop
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the Global Sync Configuration configuration:

dsconfig set-global-sync-configuration-prop
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...