You'll find all of the configuration parameters in the directory_service.ini, auth_policies.ini, and trusted_forests.ini files. The value is what you'll enter in the .ini file, and the description tells you how each value impacts the way AD Kit runs.
directory_service.ini |
||
General Parameters |
||
Key |
Value |
Description |
action_list |
extract_users |
Extracts users from your directory service to a TSV formatted file. Used for configuration and testing purposes. |
sync_users |
One-way syncing of users from your AD to your Egnyte domain. Extracts, adds and updates your users. Note: When using this action, the allow_create key must be set to true. |
|
add_users |
Reads user data from TSV formatted file, then adds users to your domain in Egnyte. |
|
update_users
|
Updates user attributes (such as first/last name) in your Egnyte domain. |
|
list_users |
List of all users from your Egnyte domain. |
|
extract_groups |
Extract groups from your directory service to a TSV formatted file. Used for configuration and testing purposes. |
|
sync_groups |
One-way syncing of groups and users from your AD to your Egnyte domain. Extracts, adds, and updates your groups and users. Note: When using this action, the allow_create key must be set to true. |
|
add_groups |
Reads group data from a TSV formatted file, then adds groups to your Egnyte domain. |
|
update_groups |
Updates group attributes in your Egnyte domain. |
|
list_groups |
List all groups from your Egnyte domain. |
|
add_auth_policy |
Add an authentication policy to your Egnyte domain. |
|
list_auth_policy |
Lists the configured auth policies defined by the auth_policies.ini file. |
|
allow_create |
false |
Default is false which allows adding of new users or groups to Egnyte during sync_users and sync_groups actions. |
true |
If set to true, allows for users and groups to be created and modified by the AD kit in your Egnyte domain. |
|
allow_delete
|
false
|
Default is false. This key allows the deleting of users or groups from Egnyte during sync_users and sync_groups actions. |
true |
If set to true, then users and groups can either be disabled or deleted by the AD kit in your Egnyte domain. |
|
allow_delete_from_child_domains
|
false
|
Default is false. Users and groups will not be allowed to be deleted from child AD domains. |
true |
If set to true, then users and groups from child AD domains can be by the AD kit. t will only work if allow_delete key is set to true. |
|
delete_disabled_users |
false
|
If set to false, AD Kit will not be able to delete disabled users from Egnyte. This is the recommended setting. |
true |
If set to true, AD Kit will be able to delete disabled users from Egnyte that are managed by the AD kit. |
|
send_invitation_email |
false
|
An invitation email will not be sent out unless Egnyte is chosen as the authentication method (see default_auth_type) |
true |
An invitation email will be sent out as a random user or the designated user (see token_type). Note: This configuration parameter only works with SSO and AD authenticated users. |
|
seed_file |
data.tsv |
Output file that is created when extract_users or extract_groups is run. It is best to review this file to ensure that the correct users are added. |
trusted_forests_file | Name of trusted forests’ controller configuration file. |
|
Egnyte Parameters |
||
egnyte_domain |
|
Your domain name in Egnyte. If your domain name is acme.egnyte.com, only acme is needed. |
token_type |
domain_token |
Designates that AD Kit will authenticate using a general domain token. If send_invitation_email is set to true, the invitation email will come from the user designated here. |
user_token |
Designates that AD Kit will authenticate using a specific user's token. If send_invitation_email is set to true, the invitation email will come from a random user. |
|
client_m_verison |
Authentication key from Egnyte |
If token_type was set to domain_token, paste in the Authentication key that was generated when you activated Active Directory in the Application settings. |
user_client_m_verison |
Personal authentication key from Egnyte |
If token_type was set to user_token, paste in the Personal authentication key that was generated when you activated Active Directory in the Application settings. |
email_suffix |
|
Allows you to specify the suffix of the email address that goes after the username. |
default_user_role |
power
|
All users will be set up as Power Users in Egnyte. It’s recommended to use power and then manually change any users to admin as needed since only one user type can be provisioned by AD Kit. |
admin |
All users will be set as Admin Users in Egnyte. |
|
default_power_user_role |
Name of specified Role in Egnyte |
All users will be provisioned with this role. Not recommended. |
target_host |
egnyte.com |
Should always be Egnyte.com. Note: If your Egnyte domain utilizes a custom URL, you will enter that url here. |
group_mapping |
inherit |
Default. All users within all subgroups will be added. Separate groups for each subgroup will be created. |
noinherit | Subgroups will be ignored and only users explicitly listed as group members will be added. | |
flatten |
All users within all subgroups will be added. Separate groups for each subgroup will NOT be created.
A separate handle_ldap_group_cycles flag determines what will happen with cyclic group dependencies. The default value for it is False, meaning that ADKit will throw an exception: |
|
group_duplication_strategy |
none |
Default. “Backwards compatibility” option that can sync duplicate groups from the child domain and overshadow groups from the parent domain. |
skip |
Duplicate groups will be skipped and only groups from "base_dn" will be synced. |
|
create |
Create duplicate groups with "FROM {AD domain}" suffix to differentiate the groups in Egnyte. |
|
default_auth_type |
ad |
Authentication using Microsoft Active Directory. Recommended & default. |
sso |
Authentication using external ID providers like Okta. |
|
egnyte |
Authentication using Egnyte username and password. |
|
LDAP Parameters |
||
service_type |
AD |
Active Directory. Default option. |
host |
|
Internal IP address or the fully qualified domain name of the directory service host. If you are running this from inside your firewall, it will be the internal IP of the directory service host. |
port |
636 |
LDAPS (encrypted) |
3269 |
GCS (encrypted) Note: GC or GCS are used if there are multiple AD domains in the forest available from the Global Catalog. |
|
secure |
true |
Note: When secure=true the port is assumed to be 636 or 3269. |
bind_dn |
|
Bind DN (user) used to bind to your active directory. It is recommended that you use the userPrincipalName for a given user for this value. Note: This user does not need to be a domain admin account. |
base_dn |
|
Base DN in your directory service from where to search. Example: base_dn=dc=acme,dc=com if base DN is acme.com |
attr_username |
|
Define the username in AD that is converted to the username in Egnyte. |
attr_first_name | Include the attribute in AD that is later converted to the first name in Egnyte. Default: givenName |
|
attr_last_name |
|
Include the attribute in AD that is later converted to the last name in Egnyte. |
attr_email |
|
Define the attribute in AD that is later converted to the email address in Egnyte. |
attr_group_name |
|
Include the group name in AD that will be used as the group name in Egnyte. |
ou_inclusion_filter |
|
Define specific OUs to be included in the action list. |
user_inclusion_by_ou_filter |
|
Include specific OU to pull all users from. Use a comma to dig down the OU structure and use a semicolon to include additional OU’s. |
group_inclusion_by_ou_filter |
|
Define specific OU to pull all groups from. Use a comma to dig down the OU structure and use a semicolon to include additional OU’s. Example: To pull users from qa.egnytead.com, us.sales.egnytead.com, and europe.sales.egnytead.com, enter the following: OU=qa;OU=europe,OU=sales;OU=us,OU=sales |
user_inclusion_by_group_filter |
|
Only users within the specified security group(s) will be added. The value should be the name of the group(s). Example: user_inclusion_by_group_filter=finance,legal |
import_dist_groups |
|
By default, only AD security groups are imported. Setting this key to true allows the import of all groups. |
group_exclusion_filter |
|
Define specific groups to exclude from the action list. Example: group_exclusion_filter=finance,legal |
group_search_filter |
|
If using universal groups in the directory service, uncomment the group_search_filter to include universal and global groups. The syntax for this value is the standard LDAP filter syntax.
Note: it is possible to use a wildcard here. A sample filter that uses a wildcard might look like: group_search_filter=(&( A negation operator (!) can also be used within the filter. |
add_users_to_their_primary_group |
true |
If the flag is set to true, when syncing groups, users from Primary groups are added to these groups in Egnyte. The default selection is false. |
auth_policies.ini |
||
Advanced Settings |
||
Key |
Value |
Description |
ldapURL |
|
External URL of the LDAP server. |
bindDN |
|
Domain Name of child domain. |
baseDN |
|
Base Domain name. |
searchFilter |
|
Search filter of child domain. |
serviceType |
|
Service Type EXTERNAL_ADS or EXTERNAL_LDAP. |
trusted_forests.ini Note: Described parameters must be set for each trusted forest. |
||
Advanced Settings |
||
Key |
Value |
Description |
host |
|
IP address of the directory service host for the trusted forest. |
port |
3269 |
GCS (encrypted) Note: GC or GCS are used if there are multiple AD domains in the forest available from the Global Catalog. |
secure |
false |
Use false when using GC. |
true |
Use true when using GCS. Note: When secure=true the port is assumed to be 3269. |
|
bind_dn |
|
Bind DN (user) used to bind to your active directory. Note: This user does not need to be a domain admin account. |
base_dn |
|
Base DN in your directory service from where to search. Example: base_dn=dc=acme,dc=com if base DN is acme.com |
password |
|
Password for the bind_dn user. Note: When first running AD Kit, the password is encrypted and stored in the encrypted_password key, after which the password parameter is cleared. |
encrypted_password |
|
An Encrypted version of the password. This parameter is automatically populated after setting the password parameter and running AD Kit. |