Synchronize Google G-Suite using LDAP

So, we started out by saying that we are going to use Moodle as the reference directory. From this we will build our LDAP directory (synchronize from Moodle to LDAP). So now we want to synchronize our G-Suite directory to LDAP.  How do we achieve this? Well, Google provides an excellent standalone tool for Windows and Linux, called Google Cloud Directory Sync (GCDS). Download and install this tool. It has very good documentation provided by Google on the use of this tool.

Just to add to the documentation:Google uses ldap:// or ldaps:// methods only, to connect to your LDAP server. Ensure that standard LDAP (ports 389 for normal and 636 for SSL). These should be open on your LDAP server. Make sure that ldaps:// service is authorized. Default installation does not and you need to ensure that this line, SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///" is present in the file /etc/default/slapd. Use LDAP + SSL setting in GCDS. Another common problem is that the certificates in LDAP configuration have expired and so ldaps:// fails to connect. Just copy the renewed certificates over or setup a CRON to do this each time server domain certificates are renewed by letsencrypt’s certbot-auto renew as explained in this post’s STEP 4.

Sometimes, in the LDAP configuration page, when you go to test the connection it may fail. Your logfile may indicate problem with certificate revoke check failure. The only way that I could get around this was to add the following 2 lines to both files sync-cmd.vmoptions and config-manager.vmoptions,

In the Google domain configuration page, add exclusion rules for all of the accounts that you don’t want touched, such as admin accounts, functional accounts that have no actual users, etc.

In General settings I checked Users and Organizational units. You can select other items as needed.

In the Org units settings page you can setup your base dn and the organizations search filter and any exclusion rules if any.

In the User Accounts settings: Email address attribute  set to mail, Unique identifier attribute should set to uid and set your suspension deletion policy. I set mine to only suspend. In the additional user attributes tab, given name attribute is set to givenName, Family name attribute is set to sn, user password sync is set only for new users, password timestamp attribute set to pwdChangedTime. In the search rules tab, add your search rules. Mine was: (&(objectClass=inetOrgPerson)(!(ou=*suspended*))(uid=*)) which means that include all users who are not suspended. In the Exclusion tabs seeings, if your LDAP query includes specific users you do not want to import, add an exclusion rule for each user. I have several rules to exclude many users here that should not have Google accounts such as parents, etc.

Finally you get to the sync page and you can simulate your scenario and fine tune before doing the actual sync.

How to Automate this process using the Windows Task Scheduler App

What if you wanted an automatic synchronization of the GCDS? This is possible using the Windows task scheduler App.

  1. First setup the process manually and create the configuration file for GCDS making sure that all your filters, exceptions, LDAP authentications, Google Organizations are correctly setup. 
  2. Open the Windows Task Scheduler App.
  3. Follow instructions from the web on how to create a new scheduled task. These are generic instructions, no point repeating them here.
  4. The main point to remember is the Action and it should look like this: sync-cmd -a -c c:\users\madhu\onedrive\documents\gdcs_4712_hp.xml
  5. Ensure that the starting directory is given as in example: c:\Program Files\Google Cloud Directory Sync 4.7.12
  6. Setup a desired schedule.
  7. The program automatically runs as user you designate in the task and you set options whether to wake computer to run or not, whether you are logged in or not, etc.

If you update GCDS and or change the configuration file name and location, ensure to change the settings above to reflect the new values.

Posted in Directory Services, G-Suite, LDAP and tagged , , .