Note: this is an abstract component that cannot be instantiated.
An LDAP Sync Destination defines the destination of a Sync Pipe that is an LDAP Directory Server.
The following LDAP Sync Destinations are available in the server :
These LDAP Sync Destinations inherit from the properties described below.
The LDAP Sync Destination component inherits from the Sync Destination
The following components have a direct aggregation relation from LDAP Sync Destinations:
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| description | response-timeout |
| base-dn | max-failover-error-code-frequency |
| password-synchronization-format | plugin |
| require-secure-connection-for-clear-text-passwords |
| Description | A description for this Sync Destination |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the base DNs of the servers referenced by this Sync Destination. These base DNs are used as the base of LDAP searches when locating entries. These base DNs must not overlap. |
| Default Value | None |
| Allowed Values | A valid DN. |
| Multi-Valued | Yes |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
password-synchronization-format
| Description | Specifies the format for password synchronization values. This only applies to Sync Classes that have been configured to synchronize the userPassword attribute. By default passwords will be synchronized in their pre-encoded format; which is the most secure option. For LDAP servers that do not support modifying the userPassword attribute with a pre-encoded value, this option can be configured to synchronize passwords as clear-text. Clear-text password synchronization is only available when the source is a Ping Identity Directory Server instance. |
| Default Value | pre-encoded |
| Allowed Values | pre-encoded - This is the most secure option and simplest to configure, but it requires the LDAP server to support pre-encoded passwords. clear-text - This must be chosen when the LDAP server does not support pre-encoded passwords. This requires additional configuration steps. Refer to the admin guide for more details. Clear-text passwords cannot be synchronized with the resync command. Use require-secure-connection-for-clear-text-passwords for further configuration. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
response-timeout (Advanced Property)
| Description | Specifies the maximum length of time that an operation should be allowed to block while waiting for a response from the server. A value of zero indicates that there should be no client-side timeout; the server's default will be used. This property indicates how long the Data Sync Server should wait for a response from a search/add/modify/delete request to a destination server before failing with LDAP result code 85 (client-side timeout). When this happens, the Sync Destination will retry the request according to the max-failover-error-code-frequency property before failing over to a different destination server and performing the retry there. The total number of retries will not exceed the max-operation-attempts value defined in the Sync Pipe configuration. |
| Default Value | 1 m |
| Allowed Values | A duration. Lower limit is 0 milliseconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
max-failover-error-code-frequency (Advanced Property)
| Description | This property controls the frequency of how often a given LDAP error code may be encountered on a connection before the Data Sync Server fails over to a different destination server. This allows the retry logic to be tuned, so that retries can be performed once on the same server before giving up and trying another server. The value can be set to zero if there is no acceptable error code frequency and failover should happen immediately. It can also be set to a very small value (such as 10 ms) if a high frequency of error codes is tolerable. As an example, if the value is set to 3 minutes, this says that a TIMEOUT error code from the currently connected server will not trigger a failover unless there was another TIMEOUT from the same server within the last 3 minutes. This property applies to all LDAP result codes except the following:
|
| Default Value | 3 m |
| Allowed Values | A duration. Lower limit is 0 milliseconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies sync destination plugins that should be applied to operations that are synchronized by this LDAP Sync Destination. If multiple plugins are provided, then they will be invoked in the order they are specified. |
| Default Value | None |
| Allowed Values | The DN of any LDAP Sync Destination Plugin. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
require-secure-connection-for-clear-text-passwords (Advanced Property)
| Description | Specifies whether or not clear-text password synchronization requires a secure connection. The default value is true. This setting only has an effect if the password-synchronization-format configuration value is set to clear-text. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | When this is set to false, passwords are sent over the network in the clear, so they can be snooped by other network devices. Setting this to false is only recommended for test environments or on networks that are otherwise protected from snooping. |
To list the configured Sync Destinations:
dsconfig list-sync-destinations
[--property {propertyName}] ...
To view the configuration for an existing Sync Destination:
dsconfig get-sync-destination-prop
--destination-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Sync Destination:
dsconfig set-sync-destination-prop
--destination-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To delete an existing Sync Destination:
dsconfig delete-sync-destination
--destination-name {name}