AD Gateway Stack Parameters
This page documents the meaning and use of each parameter to the CLICK AD Gateway CloudFormation template.
AdExtraAttributes
By default, the CLICK AD Gateway will capture a minimal set of attributes from the User, Group, and OU objects it observes. If you wish for additional attributes to be sent to CLICK, enter them here as a comma separated list.
AdGroupsOUs
The CLICK AD Gateway does not capture your entire AD forest structure. Here, you specify one or more OUs that the CLICK AD Gateway should query for Group information. Enter one or more pipe-delimited Distinguished Names (e.g. ou=OuName,DC=DomainName,DC=com
).
AdGroupsQuery
An optional LDAP filter string to limit or modify the query the CLICK AD Gateway performs to retrieve Group information.
AdHost
The fully qualified domain name of one or more Domain Controllers that the CLICK AD Gateway should contact when performing its queries. Separate multiple entries with a comma.
AdPeopleOUs
Specify one or more OUs that the CLICK AD Gateway should query for User information. Enter one or more pipe-delimited Distinguished Names (e.g. ou=OuName,DC=DomainName,DC=com
).
AdPeopleQuery
An optional LDAP filter string to limit or modify the query the CLICK AD Gateway performs to retrieve User information.
AdPort
The port on which the CLICK AD Gateway should open a connection to the Domain Controller. The default port for LDAP is 389, and the default port for Secure LDAP is 636.
AdUser
The UPN of the Active Directory user the CLICK AD Gateway should use to authenticate with the Domain Controller. We recommend creating a read-only service account. The password will be configured separately as an encrypted AWS Systems Manager (SSM) Parameter.
ClickKMSKeyAdminArn
The ARN of the IAM Role or IAM User that will be creating the SSM Parameters that will be read by the CLICK AD Gateway. This ARN will be the only resources granted the ability to administer the KMS Key.
ClickKMSKeyEncrypterArn
The ARN of the IAM Role or IAM User that will be deploying the CloudFormation stack. This resource will be granted the necessary permission to use the KMS Key, enabling the CLICK AD Gateway to use the SSM parameters that it was used to encrypt.
CodeDeployBucket
If you are performing a custom deployment of the CLICK AD Gateway, you may need to modify this parameter. However, in most cases, the default value of click-ad-gateway
should not be changed.
Endpoint
This URL is automatically populated when deploying the stack from within the SynchroNet Customer Portal. It will contain a unique, automatically-generated URL that the CLICK AD Gateway will use to deliver data to CLICK.
KMSPolicySubscriptionEmail
The e-mail address that should be contacted whenever the Policy on the KMS Key created by the stack is modified. This should be used to alert a system administrator in the event of a user attempting to tamper with the KMS Key.
SSMPrefix
Specify the prefix to be expected for all SSM Parameters. The default is /click/
, but any valid value is acceptable here (though we do recommend the prefix begin and end with a forward slash for readability). The most important thing is to ensure consistency between the value you specify here and the way you name your SSM Parameters as you create them.
ScheduleRate
Specifies the interval at which the CLICK AD Gateway will perform LDAP queries and deliver data to CLICK. The default expression is rate(1 hour)
. Any valid rate expression is acceptable here.
SecurityGroupIds
Select one or more security groups to apply to the CLICK AD Gateway Lambda function. The Lambda must be able to reach the Domain Controllers you have specified in the AdHost
parameter, so be sure to pick Security Group(s) that allow that connectivity.
SubnetIds
Select one or more subnets in which the CLICK AD Gateway Lambda function should run. The Lambda must be able to reach the Domain Controllers you have specified in the AdHost
parameter, so be sure to select subnets that have the appropriate routes configured.
TrustExternalId
This value is automatically populated when deploying the stack from within the SynchroNet Customer Portal. It will contain a unique, automatically-generated value that is used to authenticate incoming sts:AssumeRole
requests from CLICK. It will be specified as the External ID
in the trust policy of the IAM Role the CloudFormation stack creates.
TrustRoleArn
This value is automatically populated when deploying the stack from within the SynchroNet Customer Portal. It will contain an ARN for an IAM Role created in the CLICK SaaS account specifically for connecting to this CLICK AD Gateway deployment. It will be specified in the trust policy of the IAM Role the CloudFormation stack creates.
UseSecureLdap
Set this value to true if you will be using Secure LDAP to communicate with the Domain Controller. Note that this requires the creation of an additional SSM Parameter to store the certificate private key. Additional information can be found in the full CLICK Deployment guide.
Updated over 5 years ago