You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If you are having User Sync access your corporate directory, it
301
314
must be configured to read from the directory server using a
302
315
service account. This service account only needs read access and
@@ -431,6 +444,12 @@ secure them properly**, as described in the
431
444
[Security Considerations](#security-considerations) section of
432
445
this document.
433
446
447
+
The sample configuration files include entries that define the actual
448
+
credential values and entries that reference credentials in the operating system
449
+
credential store. You would keep only one of each pair and comment out or
450
+
remove the other. Another example user-sync-config.yaml show how to reference
451
+
umapi and ldap configuration files stored in a secure store that you define.
452
+
434
453
#### Configure connection to the Adobe Admin Console
435
454
436
455
When you have obtained access and set up an integration with User
@@ -1660,6 +1679,84 @@ reaches the rate limit. It is normal to see messages in the
1660
1679
console indicating that the script has paused for a short amount
1661
1680
of time before trying to execute again.
1662
1681
1682
+
Starting in User Sync 2.1, there are two additional techniques available
1683
+
for protecting credentials. The first uses the operating system credential
1684
+
store to store individual configuration credential values. The second uses
1685
+
a mechanism you must provide to store the entire configuration file for umapi
1686
+
and ldap access which includes all the credentials required. These are
1687
+
detailed in the next two sections.
1688
+
1689
+
#### Storing Credentials in OS Level Storage
1690
+
1691
+
To setup User Sync to pull credentials from the Python Keyring OS credential store, set the connector-umapi.yaml and connector-ldap.yaml files as follows:
Note the change of api_key, client_secret, and priv_key_path to secure_api_key_key, secure_client_secret_key, and secure_priv_key_data_key, respectively. These alternate configuration values give the key names to be looked up in keyring (or the equivalent service on other platforms) to retrieve the actual credential values. In this example, the credential key names are get_credential, umapi_client_secret, and
1705
+
umapi_private_key_data.
1706
+
1707
+
The credential values will be looked up using the specified key names with the user being the org_id value.
1708
+
1709
+
1710
+
connector-ldap.yaml
1711
+
1712
+
username: "your ldap account username"
1713
+
secure_password_key: ldap_password
1714
+
host: "ldap://ldap server name"
1715
+
base_dn: "DC=domain name,DC=com"
1716
+
1717
+
The LDAP access password will be looked up using the specified key name with the user being the specified username value.
1718
+
1719
+
#### Storing Credential Files in External Management Systems
1720
+
1721
+
As an alternative to storing credentials in the local credential store, it is possible to integrate User Sync with some other system or encryption mechanism. To support such integrations, it is possible to store the entire configuration files for umapi and ldap externally in some other system or format.
1722
+
1723
+
This is done by specifying, in the main User Sync configuration file, a command to be executed whose output is used as the umapi or ldap configuration file contents. You will need to provide the command that fetches the configuration information and sends it to standard output in yaml format, matching what the configuration file would have contained.
1724
+
1725
+
To set this up, use the following items in the main configuration file.
1726
+
1727
+
1728
+
user-sync-config.yaml (showing partial file only)
1729
+
1730
+
adobe_users:
1731
+
connectors:
1732
+
# umapi: connector-umapi.yaml # instead of this file reference, use:
1733
+
umapi: $(read_umapi_config_from_s3)
1734
+
# if a working directory is required:
1735
+
# umapi $([temp]read_umapi_config_from_s3) # runs command in "temp" folder
1736
+
1737
+
directory_users:
1738
+
connectors:
1739
+
# ldap: connector-ldap.yaml # instead of this file reference, use:
1740
+
ldap: $(read_ldap_config_from_server)
1741
+
1742
+
The general format for external command references is
1743
+
1744
+
$([working directory pathname]command args)
1745
+
1746
+
The working directory pathname is optional. If present, it is enclosed
1747
+
in square brackets. If the working directory pathname is not fully qualified
1748
+
it is interpreted as relative to the configuration file containing
1749
+
the reference.
1750
+
1751
+
The remainder of the line is the shell command name
1752
+
followed by any arguments. A command shell is launched by User Sync which
1753
+
runs the command. The standard output from the command is captured and that
1754
+
output is used as the umapi or ldap configuration file.
1755
+
1756
+
If the command terminates abnormally User Sync terminates with an error.
1757
+
1758
+
The command can reference a new or existing program or a script.
1759
+
1663
1760
### Scheduled task examples
1664
1761
1665
1762
You can use a scheduler provided by your operating system to run
0 commit comments