Synchronize Google G-Suite using LDAP

So, we started out by saying that we are going to use Moodle as the reference directory. From this we will build our LDAP directory (synchronize from Moodle to LDAP). So now we want to synchronize our G-Suite directory to LDAP.  How do we achieve this? Well, Google provides an excellent standalone tool for Windows and Linux, called Google Cloud Directory Sync (GCDS). Download and install this tool. It has very good documentation provided by Google on the use of this tool.

Just to add to the documentation:Google uses ldap:// or ldaps:// methods only, to connect to your LDAP server. Ensure that standard LDAP (ports 389 for normal and 636 for SSL). These should be open on your LDAP server. Make sure that ldaps:// service is authorized. Default installation does not and you need to ensure that this line, SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///" is present in the file /etc/default/slapd. Use LDAP + SSL setting in GCDS. Another common problem is that the certificates in LDAP configuration have expired and so ldaps:// fails to connect. Just copy the renewed certificates over or setup a CRON to do this each time server domain certificates are renewed by letsencrypt’s certbot-auto renew as explained in this post’s STEP 4.

Sometimes, in the LDAP configuration page, when you go to test the connection it may fail. Your logfile may indicate problem with certificate revoke check failure. The only way that I could get around this was to add the following 2 lines to both files sync-cmd.vmoptions and config-manager.vmoptions,

-Dcom.sun.net.ssl.checkRevocation=false
-Dcom.sun.security.enableCRLDP=false

In the Google domain configuration page, add exclusion rules for all of the accounts that you don’t want touched, such as admin accounts, functional accounts that have no actual users, etc.

In General settings I checked Users and Organizational units. You can select other items as needed.

In the Org units settings page you can setup your base dn and the organizations search filter and any exclusion rules if any.

In the User Accounts settings: Email address attribute  set to mail, Unique identifier attribute should set to uid and set your suspension deletion policy. I set mine to only suspend. In the additional user attributes tab, given name attribute is set to givenName, Family name attribute is set to sn, user password sync is set only for new users, password timestamp attribute set to pwdChangedTime. In the search rules tab, add your search rules. Mine was: (&(objectClass=inetOrgPerson)(!(ou=*suspended*))(uid=*)) which means that include all users who are not suspended. In the Exclusion tabs seeings, if your LDAP query includes specific users you do not want to import, add an exclusion rule for each user. I have several rules to exclude many users here that should not have Google accounts such as parents, etc.

Finally you get to the sync page and you can simulate your scenario and fine tune before doing the actual sync.

After this, your Moodle directory was used to build your LDAP directory which in turn was used to synchronize your Google G-suite directory!

Posted in Directory Services, G-Suite, LDAP and tagged , , .

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.