Welcome to
Help Desk

Product Updates
Training
Support
Ideas Contact Support

Active Directory (AD Kit) Configuration Parameters

You'll find all of the configuration parameters in the directory_service.ini, auth_policies.ini, and trusted_forests.ini files. The value is what you'll enter in the .ini file, and the description tells you how each value impacts the way AD Kit runs.  

directory_service.ini

General Parameters

Key

Value

Description

action_list

extract_users

Extracts users from your directory service to a TSV formatted file. Used for configuration and testing purposes.

sync_users

One-way syncing of users from your AD to your Egnyte domain. Extracts, adds and updates your users.

Note: When using this action, the allow_create key must be set to true.

add_users

Reads user data from TSV formatted file, then adds users to your domain in Egnyte.

update_users

 

Updates user attributes (such as first/last name) in your Egnyte domain.

list_users

List of all users from your Egnyte domain.

extract_groups

Extract groups from your directory service to a TSV formatted file. Used for configuration and testing purposes.

sync_groups

One-way syncing of groups and users from your AD to your Egnyte domain. Extracts, adds, and updates your groups and users.

Note: When using this action, the allow_create key must be set to true.

add_groups

Reads group data from a TSV formatted file, then adds groups to your Egnyte domain.

update_groups

Updates group attributes in your Egnyte domain.

list_groups

List all groups from your Egnyte domain.

add_auth_policy

Add an authentication policy to your Egnyte domain.

list_auth_policy

Lists the configured auth policies defined by the auth_policies.ini file.

allow_create

false

Default is false which allows adding of new users or groups to Egnyte during sync_users and sync_groups actions.

true

If set to true, allows for users and groups to be created and modified by the AD kit in your Egnyte domain.

allow_delete

 

false

 

Default is false. This key allows the deleting of users or groups from Egnyte during sync_users and sync_groups actions. 

true

If set to true, then users and groups can either be disabled or deleted by the AD kit in your Egnyte domain.

allow_delete_from_child_domains

 

false

 

Default is false. Users and groups will not be allowed to be deleted from child AD domains.

true

If set to true, then users and groups from child AD domains can be by the AD kit. t will only work if allow_delete key is set to true.  

delete_disabled_users

false

 

If set to false, AD Kit will not be able to delete disabled users from Egnyte. This is the recommended setting.

true

If set to true, AD Kit will be able to delete disabled users from Egnyte that are managed by the AD kit.

send_invitation_email

false

 

An invitation email will not be sent out unless Egnyte is chosen as the authentication method (see default_auth_type)

true

An invitation email will be sent out as a random user or the designated user (see token_type).

Note: This configuration parameter only works with SSO and AD authenticated users.

seed_file

data.tsv

Output file that is created when extract_users or extract_groups is run. It is best to review this file to ensure that the correct users are added.

trusted_forests_file  
Name of trusted forests’ controller configuration file.

Egnyte Parameters

egnyte_domain

 

Your domain name in Egnyte. If your domain name is acme.egnyte.com, only acme is needed.

token_type

domain_token

Designates that AD Kit will authenticate using a general domain token.

If send_invitation_email is set to true, the invitation email will come from the user designated here.

user_token

Designates that AD Kit will authenticate using a specific user's token.

If send_invitation_email is set to true, the invitation email will come from a random user.

client_m_verison

Authentication key from Egnyte

If token_type was set to domain_token, paste in the Authentication key that was generated when you activated Active Directory in the Application settings.

user_client_m_verison

Personal authentication key from Egnyte

If token_type was set to user_token, paste in the Personal authentication key that was generated when you activated Active Directory in the Application settings.

email_suffix

 

Allows you to specify the suffix of the email address that goes after the username.

default_user_role

power

 

All users will be set up as Power Users in Egnyte.

It’s recommended to use power and then manually change any users to admin as needed since only one user type can be provisioned by AD Kit.

admin

All users will be set as Admin Users in Egnyte.

default_power_user_role

Name of specified Role in Egnyte

All users will be provisioned with this role. Not recommended.

target_host

egnyte.com

Should always be Egnyte.com.

Note: If your Egnyte domain utilizes a custom URL, you will enter that url here.

group_mapping

inherit

Default. All users within all subgroups will be added. Separate groups for each subgroup will be created.

noinherit Subgroups will be ignored and only users explicitly listed as group members will be added.

flatten

All users within all subgroups will be added. Separate groups for each subgroup will NOT be created.

 

A separate handle_ldap_group_cycles flag determines what will happen with cyclic group dependencies. The default value for it is False, meaning that ADKit will throw an exception: adkit.exceptions.CycleError: Group membership structure contains following cycles:... and will skip the synchronization. When the flag is set to True and group mapping is set to "flatten", group cycles will be broken and groups will be synchronized.

group_duplication_strategy

none

Default. “Backwards compatibility” option that can sync duplicate groups from the child domain and overshadow groups from the parent domain.

skip

Duplicate groups will be skipped and only groups from "base_dn" will be synced.

create

Create duplicate groups with "FROM {AD domain}" suffix to differentiate the groups in Egnyte.

default_auth_type

ad

Authentication using Microsoft Active Directory. Recommended & default.

sso

Authentication using external ID providers like Okta.

egnyte

Authentication using Egnyte username and password.

LDAP Parameters

service_type

AD

Active Directory. Default option.

host

 

Internal IP address or the fully qualified domain name of the directory service host. If you are running this from inside your firewall, it will be the internal IP of the directory service host.

port

636

LDAPS (encrypted)

3269

GCS (encrypted)

Note: GC or GCS are used if there are multiple AD domains in the forest available from the Global Catalog.

secure

true

Note: When secure=true the port is assumed to be 636 or 3269.

bind_dn

 

Bind DN (user) used to bind to your active directory. It is recommended that you use the userPrincipalName for a given user for this value.

Note: This user does not need to be a domain admin account.

base_dn

 

Base DN in your directory service from where to search.

Example: base_dn=dc=acme,dc=com if base DN is acme.com

attr_username

 

Define the username in AD that is converted to the username in Egnyte.

Default: userPrincipalName

attr_first_name   Include the attribute in AD that is later converted to the first name in Egnyte.

Default: givenName
attr_last_name

 

Include the attribute in AD that is later converted to the last name in Egnyte.

Default: sn

attr_email

 

Define the attribute in AD that is later converted to the email address in Egnyte.

Default: mail

attr_group_name

 

Include the group name in AD that will be used as the group name in Egnyte.

Default: sAMAccountName

ou_inclusion_filter

 

Define specific OUs to be included in the action list.

user_inclusion_by_ou_filter

 

Include specific OU to pull all users from. Use a comma to dig down the OU structure and use a semicolon to include additional OU’s.

group_inclusion_by_ou_filter

 

Define specific OU to pull all groups from. Use a comma to dig down the OU structure and use a semicolon to include additional OU’s.

Example: To pull users from qa.egnytead.com, us.sales.egnytead.com, and europe.sales.egnytead.com, enter the following: OU=qa;OU=europe,OU=sales;OU=us,OU=sales

user_inclusion_by_group_filter

 

Only users within the specified security group(s) will be added. The value should be the name of the group(s).

Example: user_inclusion_by_group_filter=finance,legal

import_dist_groups

 

By default, only AD security groups are imported. Setting this key to true allows the import of all groups.

group_exclusion_filter

 

Define specific groups to exclude from the action list.

Example: group_exclusion_filter=finance,legal

group_search_filter

 

If using universal groups in the directory service, uncomment the group_search_filter to include universal and global groups. The syntax for this value is the standard LDAP filter syntax.

 

Note: it is possible to use a wildcard here. A sample filter that uses a wildcard might look like:

group_search_filter=(&(objectclass=group)(name=*something)(|(groupType=-2147483640)(groupType=-2147483644)(groupType=-2147483646)))

A negation operator (!) can also be used within the filter.

add_users_to_their_primary_group

 true

If the flag is set to true, when syncing groups, users from Primary groups are added to these groups in Egnyte. The default selection is false.

 

auth_policies.ini

Advanced Settings

Key

Value

Description

ldapURL

 

External URL of the LDAP server.

bindDN

 

Domain Name of child domain.

baseDN

 

Base Domain name.

searchFilter

 

Search filter of child domain.

serviceType

 

Service Type EXTERNAL_ADS or EXTERNAL_LDAP.

 

trusted_forests.ini

Note: Described parameters must be set for each trusted forest.

Advanced Settings

Key

Value

Description

host

 

IP address of the directory service host for the trusted forest.

port

3269

GCS (encrypted)

Note: GC or GCS are used if there are multiple AD domains in the forest available from the Global Catalog.

secure

false

Use false when using GC.

true

Use true when using GCS.

Note: When secure=true the port is assumed to be 3269.

bind_dn

 

Bind DN (user) used to bind to your active directory.

Note: This user does not need to be a domain admin account.

base_dn

 

Base DN in your directory service from where to search.

Example: base_dn=dc=acme,dc=com if base DN is acme.com

password

 

Password for the bind_dn user.

Note: When first running AD Kit, the password is encrypted and stored in the encrypted_password key, after which the password parameter is cleared.

encrypted_password

 

An Encrypted version of the password. This parameter is automatically populated after setting the password parameter and running AD Kit.

 

 

Was this article helpful?
0 out of 0 found this helpful

For technical assistance, please contact us.