Professional Documents
Culture Documents
Google Apps Directory Sync: Administration Guide
Google Apps Directory Sync: Administration Guide
Administration Guide
Release 1.6.21
Google, Inc.
1600 Amphitheatre Parkway
Mountain View, CA 94043
www.google.com
Google, the Google logo, Google Message Filtering, Google Message Security, Google Message Discovery, Postini, the
Postini logo, Postini Perimeter Manager, Postini Threat Identification Network (PTIN), Postini Industry Heuristics, and
PREEMPT are trademarks, registered trademarks, or service marks of Google, Inc. All other trademarks are the property of
their respective owners.
Use of any Google solution is governed by the license agreement included in your original contract. Any intellectual property
rights relating to the Google services are and shall remain the exclusive property of Google, Inc. and/or its subsidiaries
(“Google”). You may not attempt to decipher, decompile, or develop source code for any Google product or service offering,
or knowingly allow others to do so.
Google documentation may not be sold, resold, licensed or sublicensed and may not be transferred without the prior written
consent of Google. Your right to copy this manual is limited by copyright law. Making copies, adaptations, or compilation works,
without prior written authorization of Google. is prohibited by law and constitutes a punishable violation of the law. No part of
this manual may be reproduced in whole or in part without the express written consent of Google. Copyright © by Google, Inc.
Google, Inc. provides this publication “as is” without warranty of any either express or implied, including but not limited to the
implied warranties of merchantability or fitness for a particular purpose. Google, Inc. may revise this publication from time to
time without notice. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions;
therefore, this statement may not apply to you.
This software uses the JGoodies Forms, JGoodies Validation, and JGoodies Looks.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following
conditions are met:
o Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
o Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer
in the documentation and/or other materials provided with the distribution.
o Neither the name of JGoodies Karsten Lentzsch nor the names of its contributors may be used to endorse or promote
products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL Release 1.6.21DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
Apache Derby
2 Release 1.6.21
The Apache Software Foundation (http://www.apache.org/).
Portions of Derby were originally developed by International Business Machines Corporation and are licensed to the Apache
Software Foundation under the “Software Grant and Corporate Contribution License Agreement”, informally known as the
“Derby CLA”.
The following copyright notice(s) were affixed to portions of the code with which this file is now or was at one time distributed
and are placed here unaltered.
(C) Copyright 1997,2004 International Business Machines Corporation. All rights reserved.
The portion of the functionTests under 'nist' was originally developed by the National Institute of Standards and Technology
(NIST), an agency of the United States Department of Commerce, and adapted by International Business Machines
Corporation in accordance with the NIST Software Acknowledgment and Redistribution document at
http://www.itl.nist.gov/div897/ctg/sql_form.htm
3
4 Release 1.6.21
Contents
Chapter 2: Introduction 9
About Google Apps Directory Sync 9
Features and Benefits 10
System Requirements 11
Comparison with Google Apps Directory Sync for Email Security 11
Architecture 12
Utility Overview 14
Chapter 4: Installation 27
About Installation 27
Enable APIs 27
Install Google Apps Directory Sync 28
Upgrade Google Apps Directory Sync 29
Uninstall Google Apps Directory Sync 29
Chapter 5: Configuration 31
About Configuration 31
Configuration Files 32
General Settings 32
Google Apps Configuration 35
Google Apps Settings 36
Exclusion Filters for Google Apps 38
LDAP Settings 44
LDAP Connection 45
Contents 5
LDAP Org Units 47
LDAP Org Unit Search Rules 48
LDAP Org Units Exclusion Rules 50
LDAP Org Unit Mappings 54
LDAP Users 56
LDAP User Attributes 58
LDAP Extended Attributes 60
LDAP User Sync 64
LDAP User Exclusion Rules 68
LDAP Groups 72
LDAP Group Search Rules 73
LDAP Group Exclusion Rules 78
LDAP User Profiles 81
LDAP User Profiles Attributes 82
LDAP User Profiles Sync 84
LDAP User Profiles Exclusion Rules 87
LDAP Shared Contacts 90
LDAP Shared Contacts Attributes 92
LDAP Shared Contacts Sync 94
LDAP Shared Contacts Exclusion Filter 97
Notifications 100
Delete Limits 102
Log Files 104
Simulate Sync 105
6 Release 1.6.21
About This Guide
• Basic steps for installing the directory sync utility on your server.
This guide is intended for administrators who are already familiar with Google
Apps and with LDAP directory servers.
Related Documentation
For additional information about Google Apps and about related products, refer to
the following documents.
Document Description
Directory Sync Admin Help Central page for Google Apps Directory Sync.
Page Includes a description of the product, as well
as available downloads. Get the latest
download here.
Google Apps Admin Help Help Center for Google Apps. This includes
documentation and support for the entire
Google Apps suite, including Google Apps,
Mail, and Google Apps Directory Sync.
7
Document Description
Google Apps Directory Sync Release Notes for Google Apps Directory
Release Notes Sync. This is kept up to date with the changes
in the latest version, including release
schedules, new features, resolved issues, and
known behavior changes.
postini-doc_comments@google.com
Please specify in your email message the section to which your comment applies.
If you want to receive a response to your comments, ensure that you include your
name and contact information.
8 Release 1.6.21
Chapter 2
Introduction Chapter 2
The directory sync utility runs on a server machine in your network environment.
You can use any machine that is able to connect to your LDAP server and to
Google Apps.
Use Google Apps Directory Sync to synchronize information so that your Google
Apps users, groups, and shared contacts are automatically kept up to date with
your LDAP directory server.
Important: Before you enable Google Apps Directory Sync for your organization,
please keep a few things in mind:
Introduction 9
If Google Profiles is enabled for your organization, the data synced from your
institution’s directory will be auto-populated into the Google Profile, which your
end user may then choose to publish publicly on the web. Your use of Google
Apps Directory Sync may in some cases override the user’s edits to their own
profile fields -- please communicate this to your end users if you have enabled
Google Profiles for your organization or if you do so in the future.
• Updates your Google Apps user and groups to match your LDAP data.
• A local on-site utility that runs in your server environment. No machine outside
your perimeter will access your LDAP directory server data.
10 Release 1.6.21
System Requirements
Using Google Apps Directory Sync requires the following:
Note: Google Apps Directory Sync only synchronizes primary domains, not
domain aliases.
• User APIs enabled on your Google Apps domain. For steps on how to do this,
see “Enable APIs” on page 27.
• At least 5GB of disk space for log files and data. If you are running with
DEBUG or INFO level of logging, you may need more free space than this for
additional log data.
• At least 256MB of free RAM. At least 1GB of free RAM is suggested if you
have less than 10,000 users, or 2GB of free RAM if you have more than
10,000 users. For very large organizations (over 250,000) further tuning may
be needed.
• Network access to your LDAP server. You do not need to run the directory
sync utility on your LDAP server.
• A mail server able to accept and relay notifications from the directory sync
utility.
There is another utility with a similar name, Google Apps Directory Sync for Email
Security. This utility is used with Google Message Security, powered by Postini.
Despite the similar names, the utilities are completely separate. Google Apps
Directory Sync cannot be used with the message security service, and Google
Apps Directory Sync for Email Security cannot be used with Google Apps for your
domain.
Introduction 11
You can use both utilities in the same environment.
To find out more about Google Apps Directory Sync for Email Security, see the
Google Apps Directory Sync for Message Security web site here:
http://www.postini.com/dir_sync
Architecture
Google Apps Directory Sync runs on your server and updates Google Apps to
match your LDAP server. The directory sync utility never updates or changes your
LDAP server.
The following steps describe how the data flow of directory sync works.
1. The directory sync utility connects to your LDAP server and generates a list of
users, groups, and shared contacts on your directory. You can set up rules to
specify how this list is generated.
12 Release 1.6.21
2. The directory sync utility connects to Google Apps and generates a list of
users, groups, and shared contacts in Google Apps. You can set up rules to
specify how this list is generated.
3. The directory sync utility compares these lists, and generates a list of
changes.
Introduction 13
4. The directory sync utility then updates Google Apps to match your LDAP
server settings.
Utility Overview
The directory sync utility includes several components, designed to work together.
These components are:
• Scheduling - Once you have used sync-cmd successfully, use your operating
system’s scheduling functionality to schedule future synchronization.
Depending on the server you use, this might be a cron job, a Windows
Scheduled Service utility, or any other scheduling tool. For more information,
see “Synchronization” on page 109.
14 Release 1.6.21
Chapter 3
About Preparation
Before you install Google Apps Directory Sync and configure synchronization, you
should plan how you will synchronize your LDAP structure with Google Apps.
Many steps in the configuration and synchronization process assume you already
have available key information about your LDAP directory server, mail server, and
Google Apps domain.
This chapter includes a checklist of information you’ll need before you begin,
strategy tips, LDAP browser information, and some sample LDAP queries.
Overview
You can expect the following steps when configuring a typical setup for Google
Apps Directory Sync.
2. Plan which users, aliases, and groups you want to synchronize with Google
Apps.
Note: You may need to purchase additional licenses in Google Apps if you add
users above your current number of licenses.
3. Collect required information about your LDAP server and your Google Apps
domain. You may need to download and set up an LDAP Browser to do this.
For links to LDAP browsers, see “Useful LDAP Tools” on page 16.
9. When the simulation is successful, save your final copy of the configuration
file and exit Configuration Manager.
10. At the command line, run a synchronization in preview mode with the
configuration file you created. Check the results.
11. At the command line, run a manual synchronization to update Google Apps.
The first synchronization, which imports all information, is likely to take much
longer than later synchronizations.
Note that these are third-party browsers, and this document does not include
instructions or support on the use of an LDAP browser.
http://www.ldapbrowser.com
JXplorer
To download the JXplorer Java Ldap Browser, go to:
http://www.jxplorer.org
16 Release 1.6.21
LDAP Data Evaluation and Cleanup
Use an LDAP browser to examine your directory server data before you install
Google Apps Directory Sync or begin synchronizing. For more information on
downloading an LDAP browser, see “Useful LDAP Tools” on page 16.
You may find, while preparing for synchronization, that you have unexpected or
non-standard data in your LDAP directory server. It is always better to find and
address this before you begin synchronizing.
1. If you have the ability to modify or format your LDAP directory server, consider
cleaning up your LDAP server for easier synchronization. Look through your
data, and consider any data you may want to alter.
2. Check your LDAP directory server to find out which attributes contain the data
you need. In some cases, this data may include spaces. Google Apps stores
group names as email addresses, which cannot contain spaces, so note if any
of your group names require cleanup.
Users are fairly similar in LDAP and Google Apps, but LDAP also distinguishes
between users who are a “person” (actual humans) and users who are
“resources” (like printers and conference rooms). Different LDAP directory servers
implement users in different ways.
LDAP includes the concept of aliases, also sometimes called proxy addresses. In
Google Apps, these are called nicknames, but are functionally identical.
LDAP mailing lists forward mail for one address to a number of member
addresses. In Google Apps, these are implemented as groups. Google Apps
groups can include additional functionality, but should support the features of a
standard LDAP mailing list.
Users Users
Aliases Nicknames
• Which users do you want to synchronize? Look through your whole set of
users with an LDAP browser. You may have internal-only users, or special
users that should not have external email (such as conference rooms). You
may also decide to start by synchronizing only a small trial group of users.
Construct an LDAP query for the users you want to synchronize.
• Do you want to synchronize the LDAP org hierarchy? If you want to user
an org unit hierarchy in Google Apps, you can synchronize the organization
hierarchy from your LDAP directory server. Look through your whole set of
OUs with an LDAP browser. You may have special OUs that should not have
org units in Google Apps (such as an OU for printers). You may also decide to
start by synchronizing only a small trial group of users. Construct an LDAP
query for the org units you want to synchronize, and plan how you want to
map this into a hierarchy in Google Apps.
If you want to move users into Google Apps Organizations that you have
already set up, without creating or deleting Organizations in Google Apps,
select “Do not create or delete Google Organizations, but move users
between existing Organizations, as specified in the User Sync Rules” option
on the General Settings page. For every user search rule, specify the
Organization that should contain users for that rule, or an LDAP attribute that
contains the name of the appropriate Organization.
• Do you want to use the same domain or a pilot domain? If you specify
another domain in Configuration Manager, you can import a full list of users
into a different domain. You can use this method to test out Google Apps with
a trial domain that is different from the domain in your LDAP server. For more
information on pilot domains, see “Pilot Domain” on page 22.
• What LDAP attribute contains a user’s mail address? In many cases, this
will be the mail attribute. Use an LDAP browser to confirm the LDAP attribute
you want to use for mail addresses.
• What LDAP attribute(s) contain a user’s aliases? You can synchronize one
or more attributes for aliases in your LDAP Server into Google Apps
nicknames. Use an LDAP browser to confirm the LDAP attribute you want to
use. Be sure that the attribute contains only an email address, and not other
data such as a phone number.
• Do you want to import user names? You can use Google Apps Directory
Sync to import the full names of your users into Google Apps. If you want to
do this, find the LDAP attribute(s) that contains this information. User names
are often stored in two attributes: one for the first name and one for the last
name. If you do not have an LDAP attribute with the appropriate information,
you can skip this step.
• Do you want to import passwords? You can also use Google Apps
Directory Sync to import passwords from your LDAP directory server into
Google Apps. Passwords are supported as strings or binaries.
To synchronize passwords from LDAP, you will need an LDAP attribute that
stores passwords in plain text, MD5 or SHA1 format. Before you begin
configuration, find out what encryption format your LDAP directory server
18 Release 1.6.21
uses for passwords. By default, Active Directory and Lotus Domino directory
servers do not include these passwords.
If you wish to synchronize passwords, you can synchronize for all users (if
you want to manage passwords in LDAP) or only for new users (if you want to
manage passwords in Google Apps).
If your LDAP directory server does not support passwords in the format that
Google Apps Directory Sync uses, consider the following options:
• Specify a default password for new users and force new users to change
their password on first login.
• Use a plaintext attribute, and force new users change their password on
first login.
• Use a third-party utility to convert unsupported passwords to a supported
format.
• Implement Single Sign-On for your domain.
• Set passwords in Google Apps Directory Sync manually.
• What groups do you want to import? Mailing lists on your LDAP directory
server will be imported as groups in Google Apps. You may not want to import
all mailing lists, since some lists may be internal lists, or company resources
such as rooms or printers, or may contain unusable data. Directory Sync will
not modify or overwrite groups that users create with the Groups (user-
managed) service.
• What LDAP attribute contains mailing list members? Find out what
attribute lists the members of your mailing lists. This is often the member
attribute or the mailAddress attribute, but your LDAP directory server may be
different. If this attribute is also used for other data, you may need to use
another attribute or to clean up your LDAP directory server. If this field
contains any spaces, choose a substitution character to replace spaces, since
Google Apps mailing addresses cannot contain spaces.
• Is the LDAP attribute for mailing list members a literal email address, or
a user DN reference? Some mailing list attributes describe members by
email address (literal), and some describe members by a Distinguished Name
(reference). Google Apps Directory Sync can work with either, but you’ll need
to know which you’re using beforehand.
• Do you want to delete users who are not in your LDAP directory server,
or just suspend them? By default, users not found on your LDAP directory
server will be deleted. If you are worried about losing user data, you can set
the directory sync utility to suspend users instead of deleting them. This
allows for data recovery if users are later recovered.
Note: You cannot use this setting if you set directory sync to suspend users in
LDAP directory server instead of deleting them.
• Are there any exceptions on your LDAP directory server that you don’t
want to synchronize? Your LDAP directory server may contain users or
groups that you don’t want to synchronize with Google Apps. This could
include internal users, resources like printers or conference rooms, archived
or deleted users, test accounts, or other entries that belong in your LDAP
directory server but not in Google Apps. Find out which users and groups
you’d like to exclude, and look for any common pattern that may simplify
exception rules.
• Are there any exceptions on your Google Apps domain that you don’t
want to synchronize? Your Google Apps account may have users or groups
that you don’t want to synchronize with LDAP directory server. This could
include new users not listed in your LDAP directory server, pilot test accounts,
shared Google Apps accounts, or other entries that belong in your Google
Apps account but not your LDAP directory server. Find out which users and
groups you’d like to exclude, and look for any common pattern that may
simplify exception rules.
20 Release 1.6.21
Note: The directory sync utility does not create a domain for you, so you will
need to add it beforehand.
Collect the exact domain name from the Google Apps Control Panel. Note
that you can only synchronize a primary domain, not a domain alias.
• LDAP Base DN: The directory sync utility will use this Base DN as the top
level for all LDAP queries. You can use an LDAP browser to collect this
information. If your LDAP directory server includes OUs that you do not want
to sync, consider a Base DN that doesn’t include these OUs. Since the
directory sync utility searches for both users and groups from the Base DN,
specify a Base DN on a level that includes the users and groups you want to
synchronize.
• LDAP Queries: Decide which users to synchronize from your LDAP directory
server, and create one or more LDAP queries that will find those users. For
more information, see “LDAP Queries” on page 23.
• Mapping: Plan which users will go into Google Apps. Note that you may have
some users who should not be synchronized, either on your LDAP server or in
Google Apps. Prepare a list of exceptions so that you know what rules to set
up.
• Mail Server: The SMTP mail server to use for notifications. The directory
sync utility connects to the mail server you specify. You will need the domain
name or IP address of a mail server that will relay messages from the
directory sync server. If the SMTP server you plan to use requires SMTP
authentication, find or create a username and password for SMTP
authentication.
Once you have collected this information and decided on how you want to
synchronize users in different organizations, you’re ready to begin with
Configuration Manager.
If you begin using Configuration Manager and find you need more information,
save your configuration file. You can return to Configuration Manager and load
your XML file after you collect the needed information.
Pilot Domain
You may decide to run a pilot program, using a test domain instead of your LDAP
primary domain to try Google Apps and Google Apps Directory Sync. Using
Google Apps Directory Sync, this is very easy.
After your pilot period is complete, you can change the domain name (and Google
Apps administrator) to your actual primary domain, and keep all other
configuration options the same. For more information on setting up your domain
name, see “LDAP Connection” on page 45.
22 Release 1.6.21
Planning for Large or Complex Deployments
If your deployment is large enough or complex enough to require multiple
configuration files, you may need extra planning and preparation.
An LDAP query that returns too many results may time out before returning
results. If this happens, do not create multiple configuration files to reduce load,
since this will actually slow down performance of Google Apps Directory sync.
Instead, consider using a single configuration file with multiple LDAP queries.
For instance, instead of looking for all users in an organization with a single query,
create two rules, one to search for users with an address that starts with any letter
A through M, and another that starts with any letter N through Z (plus any
numbers or other supported characters). Splitting up your LDAP query into
multiple queries with fewer results is called sharding. Sharding is a common
solution to LDAP timeout issues for large deployments.
You can also run the same configuration file, and synchronize only groups, or
synchronize only users. For more information on how to do this, see “Command
Line Synchronization” on page 109.
LDAP Queries
The directory sync utility uses the LDAP query language to gather information
from your directory server. The LDAP query language is a flexible standard that
supports complex and powerful logical queries.
To build your LDAP queries, you will need to know your LDAP structure. The best
way to collect directory server information is an LDAP browser. For more
information, see “Useful LDAP Tools” on page 16.
Google Apps Directory Sync strictly adheres to RFC 2254, which defines
international standards on LDAP filters.
Most of the search rules in the directory sync utility use LDAP queries for
information. The only exception to this are Exception Rules, which use substring
or regular expressions based on the text of email addresses, not LDAP fields.
Note: This document lists many common queries, but every directory server is
different, and many store information in different fields or formats. To develop
these queries, consult standard LDAP documentation and review your LDAP
structure with an LDAP browser. Google Support cannot write LDAP queries for
your environment or debug your LDAP queries.
Name of
Operator Character Use
For examples of how these operators are used, see the common LDAP queries
below.
objectclass=*
(&(objectclass=user)(objectcategory=person))
(objectcategory=group)
(objectcategory=publicfolder)
24 Release 1.6.21
All user objects except for ones with primary email addresses that begin with
“test”
(&(&(objectclass=user)(objectcategory=person))(!(mail=test*)))
All user objects except for ones with primary email addresses that end with
“test”
(&(&(objectclass=user)(objectcategory=person))(!(mail=*test)))
All user objects except for ones with primary email addresses that contain the
word “test”
(&(&(objectclass=user)(objectcategory=person))(!(mail=*test*)))
All user objects (users and aliases) that are designated as a “person” and all
group objects (distribution lists)
(|(&(objectclass=user)(objectcategory=person))(objectcategory=grou
p))
All user objects that are designated as a “person”, all group objects and all
contacts, except those with any value defined for extensionAttribute9:
(&(|(|(&(objectclass=user)(objectcategory=person))(objectcategory=
group))(objectclass=contact))(!(extensionAttribute9=*)))
(objectClass=person)
(&(objectclass=user)(objectcategory=person))
(objectClass=inetOrgPerson)
(objectClass=dominoPerson)
Lotus Domino LDAP: All objects with a mail address defined that are designated
as a “person “or “group”:
(&(|(objectclass=dominoPerson)(objectclass=dominoGroup)(objectclas
s=dominoServerMailInDatabase))(mail=*))
Installation Chapter 4
About Installation
To run Google Apps Directory Sync, install the directory sync utility on your server.
The directory sync utility is designed to run on Windows, Linux or Solaris
machines.
The installer is an executable program that installs all needed components on the
server, including managing libraries, classpath variables, and other components.
The installer also uninstalls any existing version of the directory sync utility in the
same directory.
Enable APIs
Google Apps Directory Sync uses the Google Apps User API to update your
Google Apps domain. For successful synchronization, log in to Google Apps and
enable the User API.
4. For Provisioning API: Check the box next to Enable provisioning API.
Installation 27
Install Google Apps Directory Sync
To install the directory sync utility:
2. Choose the operating system of the server where you plan to run the directory
sync utility and click Download.
28 Release 1.6.21
4. Complete all the steps of the installer.
The installer contains all needed components and can be run offline without any
outside connection.
Note: To run synchronization, you must also enable APIs on your Google Apps
domain. See “Enable APIs” on page 27.
The installer wizard automatically detects and uninstalls previous versions of the
software in the same directory.
1. Open a command line interface and go to the directory that contains the
directory sync utility.
Installation 29
2. Run the following command:
uninstall
All directory sync utility files and all libraries not used by other programs will be
removed. Log files and XML configuration files will not be deleted.
30 Release 1.6.21
Chapter 5
Configuration Chapter 5
About Configuration
Configuration Manager is a step-by-step graphical user interface that walks you
through creating and testing an XML configuration file for Google Apps Directory
Sync.
Note: Before you use Configuration Manager, collect information about your LDAP
directory server and your Google Apps setup. For more information, see
“Planning Your Synchronization Strategy” on page 16.‘
Once you have set up your configuration in Configuration Manager, you can run
your actual synchronization from the command line. See “Synchronization” on
page 109.
Configuration Manager does not change the data in your LDAP directory server or
Google Apps. It is strictly used to configure and simulate synchronization.
Configuration Manager walks you through each step of configuring Google Apps
Directory Sync. Once you have finished each page, click Next to go to the next
step. You can also go back to previous steps with the Previous button, or jump
directly to any step using the left side navigation menu.
The directory sync utility includes several ways to customize search rules and
filters. When collecting information from your LDAP server, you can define LDAP
queries to extract information. The directory sync utility supports RFC 2254, the
international standard on LDAP Filters. For the details, see RFC 2254:
Configuration 31
http://www.ietf.org/rfc/rfc2254.txt
The directory sync utility also includes some non-LDAP filters. In these, you can
use regular expressions to filter for patterns of text. Regular expressions use
standard Java regular expression syntax, which is similar to most standard regular
expression syntax standards.
Configuration Files
In Configuration Manager, you can save or load configuration files to manage
multiple configuration files and store settings for later. All configuration files are
XML files.
To save configuration settings under a new name, select File->Save As from the
top menu and specify the directory and filename you wish to use. If you overwrite
an existing file, Configuration Manager will save the existing file as a copy with the
timestamp in the file name.
To save configuration settings under the existing name, select File->Save from
the top menu. If you are editing a new configuration file you haven’t saved yet, this
option will be greyed out. If you overwrite an existing file, Configuration Manager
will save the previous file as a copy with the timestamp of when the file was
overwritten.
To open a configuration file, select File->Open from the top menu and choose the
configuration file. The user interface will then show the settings for that
configuration file. To open a recent configuration file, select File->Open Recent
and choose the configuration file.
To start a new configuration file, select File->New from the top menu.
Configuration Manager will load a new file with no configuration rules specified.
General Settings
On the General Settings page, specify which categories of object to synchronize.
If Google Profiles is enabled for your organization, the data synced from your
institution’s directory will be auto-populated into the Google Profile, which your
end user may then choose to publish publicly on the web. Your use of Google
Apps Directory Sync may in some cases override the user’s edits to their own
profile fields -- please communicate this to your end users if you have enabled
Google Profiles for your organization or if you do so in the future.
32 Release 1.6.21
Customer acknowledges and agrees that Customer is solely responsible for
complying with all laws and regulations that might be applicable to Customer’s
provision of Google Profiles to Customer’s end users, such as the U.S. Family
Educational Rights and Privacy Act of 1974 (FERPA), Children’s Internet
Protection Act (CIPA), and the Children’s Online Privacy Protection Act of 1998
(COPPA).
General Settings
The General Settings page also includes a reminder to enable the Provisioning
API. For more information about the Provisioning API, see “Enable APIs” on
page 27.
Configuration 33
On the General Settings page, specify the following:
Options:
34 Release 1.6.21
General Setting Description
To start the application, run Google Apps Directory Sync Config Manager from the
Start menu, or run config-manager from the command line in the directory where
you installed the directory sync utility.
Before you begin setup in Google Apps Configuration, collect information about
your Google Apps domain and your LDAP directory server. For details on what
information you’ll need, see “Planning Your Synchronization Strategy” on page 16.
Configuration 35
Google Apps Settings
Enter your Google Apps login and connection information in this section.
Admin Email The email address used to log into Google Apps. This
Address address should be a valid Google Apps administrator
in the domain that you are synchronizing.
Example: admin@example.com
Admin Password Enter the password for the Google Apps administrator.
Example: swordfish
Domain Name Enter the domain you wish to synchronize. You must
use the primary domain in Google Apps, not a domain
alias.
Example: example.com
36 Release 1.6.21
Google Apps Setting Description
SSL Proxy Host If your server is running behind a firewall that requires
Name an SSL Proxy to connect to an outside server, enter
the proxy host name here.
(if needed)
If you can connect directly to the internet from this
machine, leave this field blank.
Example: firewall02-http.mixateriacorp.com
SSL Proxy Host Port If your server is running behind a firewall that requires
an SSL Proxy to connect to an outside server, enter
(if needed) the proxy host port here. Otherwise, leave this field
blank.
Common ports for SSL proxy are 80, 8080, 3128 and
1080.
Example: 80
SSL Proxy User If your server is running behind a firewall that requires
Name an SSL Proxy to connect to an outside server, and that
proxy requires authentication, enter the proxy
(if required) authentication user name here.
Example: proxyuser01
Example: swordfish
Configuration 37
Google Apps Setting Description
HTTP Proxy Host If you use a different proxy server for HTML
Name connections than SSL connections, enter the HTTP
proxy host here.
(if needed)
Directory Sync always connects to Google Apps on
SSL. The only time the directory sync utility sends
traffic by unencrypted HTTP is to validate a certificate
with the issuing authority.
Example: firewall02-http.mixateriacorp.com
HTTP Proxy Host If you use a different proxy server for HTML
Port connections than SSL connections, enter the HTTP
proxy host port number here.
(if needed)
If you do not use a proxy server, or you use the same
proxy server for HTML and SSL connections, leave
this field blank.
Example: 80
HTTP Proxy User If you use a different proxy server for HTML
Name connections than SSL connections, and your HTML
proxy requires authentication, enter the proxy
(if required) authentication user name here.
Example: proxyuser01
Example: swordfish
38 Release 1.6.21
Other exclusion filters you might want to include are:
• Mailing list addresses you’ve manually added in your Google Apps groups
that are not in your LDAP server
Exclusion rules are based on string values and regular expressions, not LDAP
settings. You can exclude user profiles or shared contacts by their primary sync
key.
This page shows the list of exclusion filters. In a new configuration, this contains
no exclusion rules. To add new exclusion filters, click the Add Rule button at the
bottom of the screen.
In the list of Exclusion Filters, you can change existing filters as follows:
• Reorganize: Click the up arrow or down arrow icon to change the order of
exclusion filters.
• Edit: Click the notepad icon to edit the settings of an exclusion filter.
Configuration 39
Users not in your LDAP Server
The directory sync utility will delete users from your list of Google Apps users and
from all Google Apps groups if they are not listed in your LDAP directory server.
Therefore, for single users not listed in your LDAP, add the following two rules.
First rule:
Second rule:
Pattern of users
If your Google Apps users list includes users that aren’t in your LDAP directory
server, and they all match a specific text pattern, you can use a substring or
regular expression instead of creating a rule for each user. In this example, all
these users have the name “appstrial” in their primary address, such as
appstrial-lydia@example.com and appstrial-manesh@example.com.
First rule:
Second rule:
If you have groups listed in Google Apps that don’t match a mailing list in your
LDAP directory server, the directory sync utility will delete them, Therefore, add
the following rule.
40 Release 1.6.21
External Mailing List Members
Groups in Google Apps can also include mailing address that are outside your
domain. Google Apps Directory Sync will remove these unless you add a Member
Name exclusion filter.
In this example, the Google Apps group also include addresses in two other
domains, gmail.com and electric-automotive.com.
First Rule:
Second Rule:
Add Rule
Click Add Rule at the bottom of the page to create an exclusion rule.
Configuration 41
In the Add Exclusion Rule panel, specify the following to add an exclusion rule.
Keep in mind that this is information on your Google Apps account, not your LDAP
directory server.
42 Release 1.6.21
Exclusion Rule Setting Description
Examples:
Examples:
Examples:
Configuration 43
Exclusion Rule Setting Description
LDAP Settings
The LDAP Settings section configures how the directory sync utility connects to
your LDAP directory server and generates your LDAP user list for comparison.
You may need to collect information from your LDAP directory server before you
can enter details in this section.
44 Release 1.6.21
LDAP Connection
Specify your LDAP connection and authentication in this page.
LDAP Connection
Setting Description
Example: Standard
Example: 389
Example:
ou=test,ou=sales,ou=melbourne,dc=ad,dc=example,
dc=com
Configuration 45
LDAP Connection
Setting Description
Example: Simple
Authorized User Enter the user who will connect to the server. This user
should have read and execute permissions for the
whole subtree.
Example: admin1
Example: swordfishX23
Test Connection
Once you have configured LDAP Authentication settings, click Test Connection.
Configuration Manager will connect to your LDAP server and attempt to log in, to
verify the settings you entered.
46 Release 1.6.21
LDAP Org Units
The LDAP Org Units section configures how the directory sync utility
synchronizes your LDAP org hierarchy with your Google Apps org units. You may
need to collect information from your LDAP directory server before you can enter
details in this section.
Synchronizing org units is optional. If you set “Do not create or delete Google
Organizations, but move users between existing Organizations” in General
Settings, org units will not be synchronized from LDAP. You can still specify which
users go in org units in the LDAP User Sync rules. For more information, see
“LDAP User Sync” on page 64.
Configuration 47
LDAP Org Unit Search Rules
This shows a list of rules used when generating the LDAP org units.
By default, all org units that match these search rules will be added to the Google
Apps org unit hierarchy, and all org units that do not match these search rules will
be removed. You can change this behavior with exclusion filters.
This page shows the list of search rules. In a new configuration, this will be an
empty list. To add a search rule, click the Add Org Unit Search Rule button at the
bottom of the screen.
• Reorganize: Click the up arrow or down arrow icon to change the order of
search rules.
• Edit: Click the notepad icon to edit the settings of a search rule.
Search rules are processed in the order listed. If you would like one search rule to
take priority over another, move that search rule up using the up arrow icon on this
page. If two rules contradict each other, the first rule takes precedence.
48 Release 1.6.21
Add Org Unit Search Rule
To add a new search rule, click Add Search Rule.
Org Unit Description An LDAP attribute that contains the description of each
Attribute org unit.
This field is optional. If left blank, your Org Units will not
contain a description when created.
Example: description
Configuration 49
LDAP Org Unit Search
Rule Setting Description
Example: Subtree
Rule The search rule for org unit sync to match. This rule is
a standard LDAP query, and allows sophisticated logic
and complex rules for searching. For more information
about LDAP search filters, see “LDAP Queries” on
page 23.
Example:
ou=powerusers,ou=test,ou=sales,ou=melbourne,dc=
ad,dc=example,dc=com
50 Release 1.6.21
Some examples of reasons for LDAP org unit exclusion rules:
Note: To exclude individual org units, add a separate rule for each org unit.
This page shows the list of exclusion filters. In a new configuration, this will be an
empty list. To add exclusion filters, click the Add Rule button at the bottom of the
screen.
In the list of Exclusion Filters, you can change existing filters as follows:
• Reorganize: Click the up arrow or down arrow icon to change the order of
exclusion filters.
• Edit: Click the notepad icon to edit the settings of an exclusion filter.
Configuration 51
Sample Substring Match: Defunct OUs
Several organizational units are no longer in use because two nearby offices
combined together. The defunct OUs all have “stpaul” in the DN.
• Rule: stpaul
Three specific organizational units are top security and should not be
synchronized.
First rule:
• Rule: ou=earlystatements,u=finance,ou=users,dc=ad,dc=example,dc=com
Second rule:
• Rule: ou=confidential,ou=legal,ou=users,dc=ad,dc=example,dc=com
About thirty extra OUs are listed in the LDAP directory server, but they are only
used for internal load testing. All the test users follow the same name pattern:
ou=internaltextX,dc=ad,dc=example,dc=com, where X is a number.
52 Release 1.6.21
Rule: ou=internal-test[0-9]*,dc=ad,dc=example,dc=com
Add Rule
Click the Add Rule button at the bottom of the page to exclude an org unit in your
LDAP server from synchronization.
Configuration 53
Exclusion Rule Setting Description
Examples:
• Exact Match:
ou=test,ou=sales,ou=melbourne,dc=ad,dc=exam
ple,dc=com
Specify how OUs on your LDAP server correspond to Org Units in Google Apps.
Add mappings for top-level Org Units, and Directory Sync will automatically map
sub-organizations on your LDAP directory server to Google Apps Org Units with
the same name. Add specific rules to override sub-organization mappings.
.
This page shows the list of mappings. In a new configuration, this will be an empty
list. To add a search rule, click the Add Org Mapping button at the bottom of the
screen.
54 Release 1.6.21
On the list of Search Rules, you can change existing rules:
• Reorganize: Click the up arrow or down arrow icon to change the order of
search rules.
• Edit: Click the notepad icon to edit the settings of a search rule.
Search rules are processed in the order listed. If you would like one search rule to
take priority over another, move that search rule up using the up arrow icon on this
page. If two rules contradict each other, the first rule takes precedence.
Examples of Mapping
Listed below are samples of common mappings. Note that the exact text of these
rules will vary based on your needs.
First Rule:
Second Rule:
Configuration 55
Third Rule (exception for Executives):
Add Mapping
To add a new search rule, click Add Mapping.
Example: ou=melbourne,dc=ad,dc=example,dc=com
(Google Apps) The name of the org unit in Google Apps to map.
Name
To add users to the default Organization in Google
Apps, enter a single forward slash /.
Example: Melbourne
LDAP Users
The LDAP Settings section configures how Google Apps Directory Sync
generates your LDAP user list for comparison. You may need to collect
information from your LDAP directory server before you can enter details in this
section.
56 Release 1.6.21
WARNING: After you delete a user, you can’t add the same user for 5 days.
Important: You must add at least one LDAP User Sync rule to run Google Apps
Directory Sync. This determines which users are synchronized and added in
Google Apps. Even if you only use Google Apps Directory Sync to sync groups
and not users (See “Synchronization options” on page 110), the users must be
read in, in order to resolve Reference Attributes for group members or group
owners.
Configuration 57
LDAP User Attributes
Specify what attributes Google Apps Directory Sync will use when generating the
LDAP user list.
Server Type The type of LDAP server that you are using with the
directory sync utility.
Example: proxyAddresses
58 Release 1.6.21
LDAP User Attribute
Setting Description
Domino Alias Only for Lotus Domino servers. One or more attributes
Address Attribute used to hold internal Domino alias attributes, which are
stored as usernames without domain information.
(if needed) These addresses will be formatted as email addresses
and placed as aliases to the primary address listed in
the Email Address Attribute field.
Example: uid
Use Defaults
Click this button to use the default values for your server type, as follows:
Configuration 59
LDAP Extended Attributes
LDAP Extended Attributes are optional LDAP attributes that you can use to import
additional information about your Google Apps users, including passwords.
All attributes are optional. If you do not specify an attribute, the directory sync
utility will not import this information.
Example: givenName
Example: surname
60 Release 1.6.21
LDAP Extended Attribute
Setting Description
Options are:
Example: CustomPassword1
Configuration 61
LDAP Extended Attribute
Setting Description
Example: SHA1
Force new users to change When checked, new users must change
password passwords the first time they log in to Google
Apps.
62 Release 1.6.21
LDAP Extended Attribute
Setting Description
Default password for new Enter a text string that will serve as the default
users password for all new users. If the user does
not have a password in the password attribute,
directory sync will use the default password.
Example: swordfishX2!
Google Apps Users Deletion/ Options for deleting and suspending users.
Suspension Policy
Available options:
Configuration 63
LDAP User Sync
This shows a list of rules used when generating the LDAP user list.
By default, all users that match these search rules will be added to the Google
Apps user list and all users that do not match these search rules will be removed.
You can change this behavior with exclusion filters.
This page shows the list of search rules. In a new configuration, this will be an
empty list. To add a search rule, click the Add Search Rule button at the bottom
of the screen.
Note: You cannot create an LDAP rule to exclude a specific OU in your LDAP
directory. Instead, limit the LDAP administrator authority on your LDAP directory
server, removing access to any OUs on your LDAP directory server that you do
not want to synchronize.
• Reorganize: Click the up arrow or down arrow icon to change the order of
search rules.
• Edit: Click the notepad icon to edit the settings of a search rule.
Search rules are processed in the order listed. If you would like one search rule to
take priority over another, move that search rule up using the up arrow icon on this
page. If two rules contradict each other, the first rule takes precedence.
64 Release 1.6.21
Depending on your General Settings, you may see different versions of the Add
LDAP User Sync Rule menu.
Configuration 65
Specify the following:
Place users in the This option only shows if you have Synchronization of
following Google Google Organizations set to “Sync LDAP Org Units” or
Apps Org Unit “Do not create or delete Google Organizations, but
move users between existing Organizations” in
General Settings.
Options include:
• Org Unit Name. Add all users that match this rule
to the same Google Apps Org Unit. Specify the org
unit in the text field.
Example: Users
Example: extensionAttribute11
66 Release 1.6.21
LDAP User Sync
Setting Description
Suspend all users that match this LDAP user sync rule.
The directory sync utility will add new users that do not
yet exist in Google Apps. The new users are added as
suspended users, and are not active users.
Suspended users will not show up in your Global
Address List.
Example: Subtree
Configuration 67
LDAP User Sync
Setting Description
Rule The search rule for user sync to match. This rule is a
standard LDAP query, and allows sophisticated logic
and complex rules for searching. For more information
about LDAP search filters, see “LDAP Queries” on
page 23.
objectclass=*
• For OpenLDAP:
(objectClass=inetOrgPerson)
Example:
ou=powerusers,ou=test,ou=sales,ou=melbourne,dc=
ad,dc=example,dc=com
68 Release 1.6.21
Exclusion rules are based on string values and regular expressions, not LDAP
settings.
Note: To exclude individual users, add a separate rule for each user.
This page shows the list of exclusion filters. In a new configuration, this will be an
empty list. To add exclusion filters, click the Add Exclusion Filter button at the
bottom of the screen.
In the list of Exclusion Filters, you can change existing filters as follows:
• Reorganize: Click the up arrow or down arrow icon to change the order of
exclusion filters.
• Edit: Click the notepad icon to edit the settings of an exclusion filter.
In this example, printers are listed as LDAP users and would match the LDAP
query given. However, the printers all have the word “printer” in the name. The
rule looks for that substring.
• Rule: printer
Configuration 69
Sample Exact Match: Opt-Out Users
Two users have opted out of Google Apps and should not be synchronized.
First rule:
• Rule: atif
Second rule:
• Rule: svetlana
About five hundred test users are listed in LDAP, but they are only used for
internal load testing. All the test users follow the same name pattern: internal-
testX, where X is a number, and all test users are in the same domain.
• Rule: internal-test[0-9]*@example.com
70 Release 1.6.21
Specify the following:
Examples:
Configuration 71
LDAP Groups
Set up synchronization for Google Groups for Enterprise in the LDAP Groups
page. Google Groups for Enterprise are similar to LDAP mailing lists, and allow
users to send email to multiple recipients with a single email address. You can
also use groups to share content, including Google Docs, Sites, Videos and
Calendars.
The LDAP Settings section configures how Google Apps Directory Sync
generates a list of groups from your LDAP directory server. You may need to
collect information from your LDAP directory server before you can enter details in
this section.
72 Release 1.6.21
User-Defined Groups and Google Apps Directory Sync
If you have enabled the Groups (user-managed) service in the Google Apps
control panel, you can let users create their own groups. These groups are not
centrally administered and are controlled by your users.
The directory sync utility will automatically detect groups that users create, and
will not delete or overwrite them.
This page shows the list of LDAP Group Sync rules. In a new configuration, this
will be an empty list. To add mail lists, click the Add Rule button at the bottom of
the screen.
In the list of Mail List rules, you can change existing filters as follows:
• Reorganize: Click the up arrow or down arrow icon to change the order of
exclusion filters.
• Edit: Click the notepad icon to edit the settings of an exclusion filter.
Configuration 73
Add Group Search Rule Filter (LDAP)
Click the Add Rule at the bottom of the page to synchronize one or more
addresses as mailing lists.
The first tab you see is the LDAP tab, which contains information on which LDAP
objects to synchronize, and which attributes to use for groups information.
To view the groups you have in Google Apps, see the Google Apps control panel.
For two entries (Member and Owner) you have a choice of two attributes, a
Reference attribute or a Literal attribute. Enter only one of them.
To determine which to use, use an LDAP browser to look at the contents of the
field you want to use:
74 Release 1.6.21
Specify the following:
Example: Subtree
Rule The LDAP query for Group Sync to match. This allows
sophisticated logic and complex rules for searching.
For more information about LDAP search filters, see
“LDAP Queries” on page 23.
Example: (objectclass=dominoGroup)
Example:
ou=powerusers,ou=test,ou=sales,ou=melbourne,dc=
ad,dc=example,dc=com
Example: mail
Configuration 75
LDAP Group Rule
Setting Description
Group Display Name An LDAP attribute that contains the display name of
Attribute the group. This will be used in the display to describe
the group, and does not need to be a valid email
address.
Example: extendedAttribute6
(Either this field or Google Apps Directory Server looks up the email
Member Literal addresses of these members and adds each member
Attribute is to the group in Google Apps.
required.)
Example: memberUID
(Either this field or Google Apps Directory Server adds each member to
Member Reference the group in Google Apps.
Attribute is
required.) Example: memberaddress
Example: ownerUID
Owner Literal An attribute that contains the full email address of each
Attribute group’s owner.
Example: owner
76 Release 1.6.21
Edit LDAP Group Rule (Prefix-Suffix)
If you need the directory sync utility to add a prefix or suffix to group names, user
names or owner names in Google Apps, list them here.
Example: groups-
Group Name Suffix Text to add at the end of each group name.
Example: -list
User Name Prefix Text to add at the beginning of each user name
for group members.
User Name Suffix Text to add at the end of each user name for
group members.
Owner Name Prefix Text to add at the beginning of each user name
for group owners.
Owner Name Suffix Text to add at the end of each user name for
group owners.
Configuration 77
LDAP Group Exclusion Rules
You can exclude particular addresses from being imported as groups.
If you have any entries in your directory server that match a mail list rule, but
should not be treated as a mailing list, list them here. This might include:
Exclusion rules are based on string values and regular expressions, not LDAP
settings.
This page shows the list of exclusion filters. In a new configuration, this will be an
empty list. To add exclusion filters, click the Add Rule button at the bottom of the
screen.
In the list of exclusion filters, you can change existing filters as follows:
• Reorganize: Click the up arrow or down arrow icon to change the order of
exclusion filters.
• Edit: Click the notepad icon to edit the settings of an exclusion filter.
78 Release 1.6.21
Sample Substring Match: Defunct Mailing Lists
Several mailing lists are no longer in use because two nearby offices combined
together. The defunct lists all have “stpaul” in the address.
• Rule: stpaul
Three small-distribution LDAP mailing lists are top security and should not be
imported.
First rule:
• Rule: finance-early-statements
Second rule:
• Rule: internal-security
Third rule:
• Rule: legal-confidential
About five hundred test mailing lists are listed in LDAP, but they are only used for
internal load testing. All the test users follow the same name pattern: internal-
testX, where X is a number, and all test users are in the same domain.
• Rule: internal-test[0-9]*@example.com
Configuration 79
Add Exclusion Filter
Click Add Rule at the bottom of the page to prevent an address from being
treated as a mailing list.
80 Release 1.6.21
Exclusion Rule Setting Description
The LDAP User Profiles section configures how Google Apps Directory Sync
generates user profile information from your LDAP directory server. You may need
to collect information from your LDAP directory server before you can enter details
in this section.
Configuration 81
LDAP User Profiles Attributes
Specify what attributes Google Apps Directory Sync will use when generating the
LDAP user profiles.
82 Release 1.6.21
The fields are as follows.
Example: mail
Work mobile phone numbers LDAP attribute that contains a user’s work
mobile phone number.
Configuration 83
LDAP Profile User Attribute Description
Note: If you store your user profile information in the same place in your directory
server as your users’ mail addresses, you may use the same sync rules for LDAP
User Profiles as you did for LDAP User Sync. To use the same settings, add a
new search rule and copy the same scope and rule text.
By default, user profile information will be synchronized for all users that match
these search rules will be added to the Google Apps user list. You can change this
behavior with exclusion filters.
84 Release 1.6.21
This page shows the list of search rules. In a new configuration, this will be an
empty list. To add a search rule, click the Add Search Rule button at the bottom
of the screen.
Note: You cannot create an LDAP rule to exclude a specific OU in your LDAP
directory. Instead, limit the LDAP administrator authority on your LDAP directory
server, removing access to any OUs on your LDAP directory server that you do
not want to synchronize.
• Reorganize: Click the up arrow or down arrow icon to change the order of
search rules.
• Edit: Click the notepad icon to edit the settings of a search rule.
Configuration 85
This dialog box has the following fields
Example: Subtree
objectclass=*
• For OpenLDAP:
(objectClass=inetOrgPerson)
86 Release 1.6.21
LDAP User Profile Search Rule
Field Description
Example:
ou=powerusers,ou=test,ou=sales,ou=melbou
rne,dc=ad,dc=example,dc=com
This page shows the list of exclusion filters. In a new configuration, this will be an
empty list. To add exclusion filters, click the Add Exclusion Filter button at the
bottom of the screen.
Configuration 87
In the list of Exclusion Filters, you can change existing filters as follows:
• Reorganize: Click the up arrow or down arrow icon to change the order of
exclusion filters.
• Edit: Click the notepad icon to edit the settings of an exclusion filter.
In this example, printers are listed as LDAP users and would match the LDAP
query given. However, the printers all have the word “printer” in the name. The
rule looks for that substring.
• Rule: printer
Two users have opted out of Google Apps and should not be synchronized.
First rule:
• Rule: atif@example.com
Second rule:
• Rule: svetlana@example.com
About five hundred test users are listed in LDAP, but they are only used for
internal load testing. All the test users follow the same name pattern: internal-
testX, where X is a number, and all test users are in the same domain.
• Rule: internal-test[0-9]*@example.com
88 Release 1.6.21
Add Exclusion Filter
Click the Add Exclusion Filter at the bottom of the page to exclude a user or
organization in your LDAP server from synchronization.
Configuration 89
Exclusion Rule Setting Description
Examples:
Shared Contacts in Google Apps are contacts that any user can see and use.
Shared Contacts correspond to a Global Address List (GAL) in Microsoft Active
Directory and other directory servers.
90 Release 1.6.21
You can see Shared Contacts in Google Apps by going to your Inbox and clicking
the Contacts link.
The LDAP Shared Contacts section configures how Google Apps Directory Sync
generates shared contacts information from your LDAP directory server. You may
need to collect information from your LDAP directory server before you can enter
details in this section.
• Chooser. When a user click on the To field while composing a Google Apps
Mail message, the Chooser will present a list of possible recipients, similar to
an address list. This list of possible recipients comes from three places:
addresses that the user has mailed before, users (but not groups) in the
domain, and Shared Contacts.
• Contacts information. Shared Contacts are not visible when a user clicks
the Contacts tab. However, if a user sends mail to a contact, or adds a
contact, Google Apps will also add information from Shared Contacts.
Configuration 91
Below are some of the most common reasons to import Shared Contacts:
• Give pilot users access to all users for autocomplete. If you are adding a small
number of users for a pilot program, consider adding other users as Shared
Contacts, so that pilot users will see the address of other users in
autocomplete.
92 Release 1.6.21
The fields are as follows.
Examples: dn or contactReferenceNumber
Work mobile phone numbers LDAP attribute that contains a contact’s work
mobile phone number.
Configuration 93
LDAP Shared Contact Attribute Description
By default, shared contacts will be synchronized for all contacts that match these
search rules will be added to the Google Apps user list, and removed for shared
contacts that do not match these rules. You can change this behavior with
exclusion filters.
94 Release 1.6.21
This page shows the list of search rules. In a new configuration, this will be an
empty list. To add a search rule, click the Add Shared Contact Search Rule
button at the bottom of the screen.
Note: You cannot create an LDAP rule to exclude a specific OU in your LDAP
directory. Instead, limit the LDAP administrator authority on your LDAP directory
server, removing access to any OUs on your LDAP directory server that you do
not want to synchronize.
• Reorganize: Click the up arrow or down arrow icon to change the order of
search rules.
• Edit: Click the notepad icon to edit the settings of a search rule.
Configuration 95
LDAP User Profile Search Rule
Field Description
Example: Subtree
(objectclass=contact)
• For OpenLDAP:
(objectClass=inetOrgPerson)
96 Release 1.6.21
LDAP User Profile Search Rule
Field Description
Example:
ou=powerusers,ou=test,ou=sales,ou=melbou
rne,dc=ad,dc=example,dc=com
Exclusion rules are based on string values and regular expressions, not LDAP
settings.
Note: To exclude individual contacts, add a separate rule for each contact.
This page shows the list of exclusion filters. In a new configuration, this will be an
empty list. To add exclusion filters, click the Add Exclusion Filter button at the
bottom of the screen.
Configuration 97
In the list of Exclusion Filters, you can change existing filters as follows:
• Reorganize: Click the up arrow or down arrow icon to change the order of
exclusion filters.
• Edit: Click the notepad icon to edit the settings of an exclusion filter.
Two contacts have opted out of Google Apps and should not be synchronized.
First rule:
• Rule: atif@example.com
Second rule:
• Rule: svetlana@example.com
About five hundred test users are listed in LDAP, but they are only used for
internal load testing. All the test users follow the same name pattern: internal-
testX, where X is a number, and all test users are in the same domain.
• Rule: internal-test[0-9]*@example.com
98 Release 1.6.21
Add Exclusion Filter
Click the Add Exclusion Filter at the bottom of the page to exclude a user or
organization in your LDAP server from synchronization.
Configuration 99
Exclusion Rule Setting Description
Examples:
Notifications
You can set Configuration Manager so that every time synchronization occurs,
Google Apps Directory Sync will send out a notification to one or more users.
Consider adding a notification to send mail to your own address, and possibly the
addresses of any concerned parties in your company.
Send notifications Enter the “From:” address for the notification mail.
from address Recipients will see this address as the notification
sender. For instance, you might use your own email
address.
Example: dirsync@example.com
Example: dirsync-admins@example.com
SMTP Relay Host The SMTP mail server to use for notifications. The
directory sync utility uses this mail server as a relay
host.
Example: mail.example.com
Configuration 101
Notifications Setting Description
Test Notification
Click this button to test notifications. Configuration Manager will connect to the
SMTP server you specified and send a test notification to the addresses you list.
Delete Limits
As a safeguard, you can limit how many users, groups, and shared contacts
Google Apps Directory Sync can delete during synchronization. This is
recommended as a way to prevent accidental mass deletion.
Note: Delete limits apply during synchronization, but not during simulation.
Simulation results will not include delete limits.
Example: 5%
Configuration 103
Log Files
You can specify the file name and level of detail of logging for Google Apps
Directory Sync.
File name Enter the directory and file name to use for the log file
or click Browse to browse your file system.
Example: sync.log
Log Level The level of detail of the log. Options are FATAL,
ERROR, WARN, INFO, DEBUG, and TRACE.
Maximum Log Size The maximum size of the log file, in gigabytes. When
this file reaches half capacity, it is saved as a backup
file (which overwrites any existing backup file) and a
new file is created. At any time, the total size of these
two files (the log file and the backup log file) will not
exceed the total maximum size.
Example: 4
Simulate Sync
After you enter configuration information, use this section to verify and test your
Google Apps Directory Sync settings. Configuration Manager does not check for
valid LDAP syntax. To find invalid LDAP queries, use Simulate Sync. Invalid LDAP
queries will cause errors.
For information on common errors that might occur and how to troubleshoot them,
see “Common Issues” on page 113.
Simulate Sync
When you first go to this page, you will see Validation Results. This page will show
a checklist of all the Configuration Manager sections. If you are missing required
information, you will see error messages showing what needs to be added.
Important: This checklist confirms only the minimum needed for synchronization.
You may need to configure additional filters or rules to be sure the results are what
you expect.
Configuration 105
Once you’ve completed all required fields, you will be able to use the Simulate
Sync button to simulate a synchronization.
Once you’re ready, click Simulate Sync. You will see the Simulate Sync page.
• Connect to Google Apps and generate a list of users, groups, and shared
contacts.
• Connect to your LDAP directory server and generate a list of users, groups,
and shared contacts.
Note: Simulate Sync will never update or change your LDAP server or your users
in Google Apps. The simulation is strictly for configuration and testing. To run an
actual synchronization, use the command line. See “Synchronization” on
page 109 for more.
If any errors occur, check the error text. Most error text is human readable, but
some error text may contain Java stack trace errors. If you need help
troubleshooting these errors, see “Troubleshooting” on page 113.
If the synchronization was successful, check the Proposed Change Report and
review it for unexpected results.
Note: The Proposed Change Report doesn’t check your delete limits.
If you see any errors or unexpected results, you can go back and change your
configuration to try again. To change your configuration, click on any of the
headings on the left navigation bar.
You can switch between the Validation Results and Simulation Results pages
using the buttons at the bottom of the page. You can also run another simulation
from either page by clicking the Simulate Sync button at the bottom.
Once you are finished, save your configuration file and run synchronization. See
“Synchronization” on page 109.
Configuration 107
108 Release 1.6.21
Chapter 6
Synchronization Chapter 6
About Synchronization
Run the synchronization command to push your LDAP directory server user
information to Google Apps.
The directory sync utility uses the command sync-cmd to run synchronization.
This simple command line interface gives you the flexibility to incorporate
synchronization into any scheduling or batch script you wish to use.
Before you can synchronize Google Apps with your LDAP directory server, you
must create rules that detail how to connect to both servers, and what filters and
rules to use. These rules are stored in an XML file. To create this XML file, run
Configuration Manager. For more information about Configuration Manager, see
“Configuration” on page 31.
Most administrators run their first synchronization manually to test the process,
import an initial set of users, and confirm the changes. After initial synchronization
with the command line, you can set up automatic scheduling for future
synchronization.
sync-cmd
Run without any arguments, this command gives an error and directs you to run
sync-cmd -h for help.
sync-cmd -a -c [filename]
Synchronization 109
Replace [filename] with the name of the XML file you created in the
Configuration Manager.
Synchronization options
The table below describes the possible arguments to the sync-cmd command. You
can also see this information by running the following:
sync-cmd -h
Option Values
Scheduling Synchronization
Once you have successfully run a manual synchronization, you can set up
automatic synchronization. Use existing third-party scheduling software to
automate synchronization.
In most cases, scheduling twice a week is recommended. The exact timing will
vary based on the number of users you have and how often you need to update
them. A large company with many users changing frequently may need to run the
directory sync utility daily, while a small company with few changes may not need
to run the utility more than once a week.
The exact method to schedule this task depends on the operating system in which
the directory sync utility is installed. In Microsoft Windows, use Scheduled Tasks.
In Linux or Solaris, use cron. Steps for how to do this are listed below. You can
also use any other scheduling software that can launch commands from the
command line interface.
To schedule a task
Synchronization 111
3. Complete the Scheduled Task wizard using the following information. (Steps
may vary depending on your version of Microsoft Windows.)
Replace [path] with the path where the directory sync utility was
installed. Replace [filename] with the name of the XML file you created
in the Configuration Manager.
4. Test the scheduled task by running manually once. In the Scheduled Tasks
window, right-click the task you created and select Run from the right-click
menu. Check the log file for errors.
Note: These steps apply to most common Linux and Solaris configurations. Linux
and Solaris are third-party products and are not supported directly by the Google
(or Postini) team. In the event of an issue with cron, contact your administrator.
The syntax of this line will depend on your operating system and version of
cron. For instance, to schedule the task to run at 3:30 AM twice per week, on
Monday and Thursday, add the following entry:
30 3 * * 1,4 [path]/sync-cmd -a -c [filename]
Replace [path] with the path where the directory sync utility was
installed.Replace [filename] with the name of the XML file you created in the
Configuration Manager.
Troubleshooting Chapter 7
About Troubleshooting
This chapter covers information about how to troubleshoot problems that may
occur with Google Apps Directory Sync.
For information about LDAP queries, see “LDAP Queries” on page 23.
Common Issues
The following describes common issues and questions related to Google Apps
Directory Sync.
Configuration Manager
When creating an exception rule, the dialog box does not have an OK button.
You may be using a font that is too large for the screen. The dialog box does not
work with Extra Large Fonts or Large Fonts. Change your font size, or edit your
XML file directly.
What port numbers should be used in Google Apps Directory Sync when
connecting to Global Catalog server?
By default, Google Apps Directory Sync connects to an LDAP server with the
standard LDAP port 389 to query users from a single domain/LDAP server.
If you need to query users over multiple domains/LDAP servers that have trust
relationship, configure Google Apps Directory Sync to connect to a Global Catalog
server with the standard Global Catalog server port 3268.
Troubleshooting 113
User Sync Errors
Confirm that you are using Premier, Partner or Educational Edition of Google
Apps. Google Apps Directory Sync is not compatible with Standard Edition or
Team Edition.
Google Apps Directory Sync is unable to detect suspended users, and will not try
to delete them. If Google Apps Directory Sync tries to add a suspended user, you
will see an error message: EntityAlreadyExists (1300).
You attempted to add more users than you have licensed seats. Contact your
sales representative to purchase more user licenses, or change your LDAP
queries to synchronize fewer users.
The directory sync utility tried to add a user who was deleted. When you delete a
user, you can’t add that user until 5 days pass. Wait 5 days, or contact support for
help.
Where can I find a list of other error messages and their meanings?
Other error messages are listed in the Error Codes section of the Google Apps
Provisioning API Developer’s Guide.
Synchronization Rules
Check the scope of the rule. You may need to set the scope to SUBTREE.
Check the Group Search Attribute in LDAP Configuration. This is the field that
contains the email address of a group. In most cases, this will be mail.
You cannot create an LDAP rule to exclude users in a specific LDAP organization.
Instead, limit the authority of the LDAP Administrator you use, removing access to
any OUs you do not want to synchronize.
The proxy environment requires a password challenge for external web access.
The directory sync utility can use a proxy server but cannot respond to password
challenges. To run synchronization, you will need to change your network setup to
allow the directory sync utility to connect without a password challenge, or without
a proxy server.
You can also upgrade the file with the following command-line executable:
upgrade-config -c [filename]
Note: Configuration files for version 1.3.11 or later are not compatible with earlier
versions.
You will need to download an LDAP browser. An LDAP browser allows you to
browse through an LDAP directory server and identify all fields and values. Many
directory servers do not include a complete LDAP browser. For information on
LDAP browsers, see “Useful LDAP Tools” on page 16.
Troubleshooting 115
How can I get password sync to work?
Google Apps Directory Sync supports two encoding formations: SHA-1 and MD-5.
Specify the name of the attribute that contains the password. Google Apps does
not return the encoded password back, so every time you run a synchronization,
the report will show that all users had passwords updated.
To synchronize passwords from LDAP, you will need an LDAP attribute that stores
passwords in plain text, MD5 or SHA1 format. Before you begin configuration, find
out what encryption format your LDAP directory server uses for passwords. By
default, Active Directory and Lotus Domino directory servers do not include these
passwords.
If you wish to synchronize passwords, you can synchronize for all users (if you
want to manage passwords in LDAP) or only for new users (if you want to manage
passwords in Google Apps).
If your LDAP directory server does not support passwords in the format that
Google Apps Directory Sync uses, consider the following options:
• Specify a default password for new users and force new users to change their
password on first login.
• Use a plaintext attribute, and force new users change their password on first
login.
An LDAP query that includes a wildcard isn’t working with Lotus Domino LDAP
Lotus Domino has a setting for “Minimum characters for wildcard search” that
controls how wildcard LDAP searches work. Update your search to include more
characters, or change this setting to a lower number.
System Tests
If you encounter problems, use the tests in Configuration Manager to find the
problem:
1. In Configuration Manager, open the XML file you are using for configuration.
2. Under LDAP Connections, click Test Connection to confirm you can connect
to your LDAP server.
3. Under Notifications, click Test Notification to confirm you can send a test
notification.
4. Under Simulate Sync, confirm you have filled out all required fields.
If you encounter any problems, note which tests failed and confirm that the
configuration information is correct for those sections of Configuration Manager.
Escalating Problems
If you are unable to run directory sync, and cannot resolve the problem using
system tests, collect the following information for troubleshooting:
• The most current sync log file, located in the folder where the directory sync
utility is installed.
• The version number of the directory sync utility you are running. You can find
this in the Configuration Manager UI by going to Help->About, or you can run
the command sync-cmd -V.
• The current config file you are using. This is an XML file (default name
sync.xml) located in the same folder where the directory sync utility is
installed.
• The brand and version of the LDAP directory server you're using.
• The operating system on the machine where the directory sync utility is
running.
Once you have collected this information, check the help center or contact support
for help.
http://google.com/apps/directorysync
http://www.google.com/support/a/bin/answer.py?answer=60233
Troubleshooting 117
118 Release 1.6.21