The User Sync tool is a command-line utility that moves user and group information from your organization’s enterprise directory system (such as an Active Directory or other LDAP systems) to your organization’s directory in the Adobe Admin Console. Each time you run the User Sync tool, it looks for differences between the user and group information in the two systems and updates the Adobe directory to match the information in your directory.
This document provides step-by-step instructions to interface an Active Directory system with the Adobe Admin Console. This is one of the most popular combinations that our customers use in the K-12 and SMB segments. The User Sync tool is flexible and can be used to interface with most LDAP and directory systems. If you're using a directory system other than Active Directory, the instructions in this document do not apply directly; make modifications as required. For more information, see the Setup and Success Guide.
You'll need the following information about your Active Directory (or LDAP) system. If you do not have this information, contact your IT administrator.
- Host and port information about the server where the system is running.
- Username and password.
- Base DN, which is the point from where the server searches for users.
- Additionally, you may also require an LDAP query that selects the set of users to be synced with Adobe.
To sign API calls, you need a digital certificate. If you don't have the certificate, contact your IT Admin for instructions.
- The certificate must include a public key certificate file and a private key file.
- CRT (base-64 encoded X.509) format
- Named with a .crt filename extension (not .pem, .cer or .cert)
- Multi-line format (single line fails)
- Must last a minimum of three years (it saves the maintenance over that lifespan, and does not compromise security)
Create a self-signed certificate
For testing and setting up, you can also use a self-signed certificate. You can create certificates in Windows with Cygwin, which includes openssl. In Mac OS, you can use the built-in command-line tool openssl. To create a certificate, do the following:
If you plan to install User Sync on your machine, ensure that it meets the following requirements:
- Has access to the Internet, and your directory service such as LDAP or AD.
- Is protected and secure (your administrative credentials are stored or accessed there).
- Stays up, is reliable, and has a backup and recovery capability.
- Can send emails so User Sync can send reports to administrators.
- If it is a Windows machine, it has a 64-bit processor.
Otherwise, work with your IT department to identify such a server and get access to it.
A country code is required for Federated IDs and recommended for Enterprise IDs. If not supplied for Enterprise IDs, the users are prompted to choose a country when they first log in.
You can provision user accounts by adding them to an enterprise directory group using LDAP/AD tools rather than the Adobe Admin Console. Then, the config file defines a mapping from directory groups to Adobe Product Profiles or User Groups.
If a user is a member of a directory group, user-sync adds the user to the corresponding User Group in the Adobe Admin Console. Also, if a user is a member of a User Group, but is not in the directory group, user-sync removes the user from the User Group.
For each directory group that must map to an Adobe Product Profile or user group, add an entry after groups. For example:
groups: - directory_group: C-Art101-18 adobe_groups: - All Apps - directory_group: C-Film401-18 adobe_groups: - Premiere Pro
Group mapping can be done using Adobe User Groups or Product Profiles, not to Product names. And, you can map one directory group to more than one Adobe User Groups or Product Profiles.
To prevent accidental account deletion if there is a misconfiguration or another problem, there is a limit set on deletion of accounts.
If you want to drive account creation and removal through User Sync, and want to manually create a few accounts, use this feature to keep User Sync from deleting your manually created accounts.
It defines a list of Adobe user groups, product profiles, or both. Adobe users who are members of listed groups are not removed or updated, and their group membership is not changed.
It gives a list of patterns. Adobe users with user names that match (default not case sensitive, unless the pattern specifies case sensitive) any of the specified patterns are not removed or updated, and their group membership is not changed.
To protect users on the Admin Console from updates, create a user group and put the protected users into that group, then list that group as excluded from User Sync processing. You can also list specific users or a pattern that matches specific user names to protect those users. You can protect users based on their identity type as well.
adobe_users: exclude_adobe_groups: - administrators # Names an Adobe user group or product configuration whose members are not to be altered or removed by User Sync - contractors # You can have more than one group in a list exclude_users: - ".*@example.com" - email@example.com exclude_identity_types: - adobeID # adobeID, enterpriseID, and/or federatedID
User Sync produces log entries that are printed to standard output and also written to a log file. The logging set of configuration settings control details of where and how much log information is output.
To turn the file log on or off, edit the log_to_file value in the user-sync-config.yml file.
Messages can be on one of five levels of importance and you can choose the lowest importance that is included for either the file log or standard output log to the console. The defaults are to produce the file log and to include messages of level “info” or higher, which is the recommended setting.
Alternatively, if you have a Windows server, you can use the User Sync Tool Configuration Wizard to configure User Sync.
The User Sync Tool Configuration Wizard is a GUI tool that helps you easily configure the User Sync tool with User Management API (Adobe.io), Enterprise Directory (LDAP), and sync settings. It provides context-based help and links to User Sync tool documentation. For more information, see Adobe User Sync Tool Configuration Wizard.
Now that the User Sync tool is set up on your server or machine, you can check if it works as expected.
Following are the commands to start User Sync:
Windows: python user-sync.pex ....
UNIX: ./user-sync ....
For example, to verify that your configuration is complete, run the following commands:
python user-sync.pex -v python user-sync.pex -h
./user-sync –v ./user-sync –h
python user-sync.pex -t --users mapped --process-groups --adobe-only-user-action exclude
The command above syncs only the users in the mapped group specified in user-sync-config.yml. If the users don't exist in the Admin Console, it results in an attempt to create the users and add them to any groups that are mapped from their directory groups.
Running user-sync in test mode (-t) only attempts to create the user and not actually do it. The --adobe-only-user-action exclude option prevents updates to any user accounts that already exist in the Adobe organization.
If you have more than a few hundred users in your directory, it can take a few hours to sync the users with Adobe Admin Console.
User Sync can be run manually, or you can set up automation where it runs once to a few times per day automatically.
If you have a log analysis and alerting system available, arrange for the log from User Sync to be sent to the log analysis system. And, set up alerts for any Error or Critical messages that appear in the log.
To pull out relevant log entries for a summary, create a batch file in the user_sync_tool folder with the invocation of user-sync piped to a scan. For example, create a file run_sync.bat with contents like:
cd user-sync-directory python user-sync.pex --users file example.users-file.csv --process-groups | findstr /I "==== ----- WARNING ERROR CRITICAL Number" > temp.file.txt rem email the contents of temp.file.txt to the user sync administration your-mail-tool –send file temp.file.txt