Duet AI is now Gemini for Google Workspace. Learn more

Install & prepare GCDS

2. Prepare your LDAP directory

You can deploy Google Cloud Directory Sync (GCDS) more quickly if you identify your LDAP resources beforehand.

You're on step 2 of 5

Step 1: Install a third-party LDAP browser

To collect information about your LDAP server structure, download and install an LDAP browser, such as Softerra LDAP Administrator or JXplorer.

Important: Google doesn't provide support for third-party LDAP browsers.

Step 2: Collect an inventory of LDAP data

Collect this information:

  • Host name or IP address of your LDAP server.
  • Your network access, proxy servers, and outbound connections.
  • Whether you should use a standard LDAP or LDAP over SSL connection. For details, go to Ensure authentication after Microsoft ADV190023 update.
  • Name and password of an account on your LDAP server with read and execute permissions. If you want to limit the users and groups to synchronize, you can set up an LDAP administrator with limited permissions on your directory server.
  • Confirmation that your LDAP server directory meets all server requirements. For details, go to LDAP server.

GCDS can only get data from a single LDAP directory. If you have multiple LDAP directories, consider:

  • Consolidating your LDAP server data into a single directory. 
  • If you have multiple Microsoft Active Directory domains, syncing from a global catalog (using port 3268 or 3269) might help with your synchronization.

    Note: Test this thoroughly using a simulation before doing a full sync. This is because global catalog data differs from the main domain partition data.

Step 3: Research LDAP server structure

Use an LDAP browser to collect the following information about your LDAP server and structure:

  • LDAP base distinguished name (DN)—GCDS uses the base DN as the top level for all LDAP queries. Because GCDS searches for users and groups from the base DN, specify a base DN on a level that includes the users and groups that you want to sync.
    Note: You can use multiple base DNs in a configuration. You can specify a separate base DN for each sync rule.
  • LDAP structure information—Identify the LDAP attributes that have important information, such as groups that contain users and other resources that you want to sync. Look through your LDAP directory structure using an LDAP browser. Examine some sample users and other resources to identify the important LDAP attributes.
  • Security groups—Identify security groups that you might want to sync. Each group must have a unique email address defined on the group object to sync correctly.

Step 4: Clean up LDAP server data

  • Identify users—Get a list of your organization's current users and identify the ones that you want to sync with the Google domain.
  • Locate mail-enabled groups—Identify mail-enabled groups that operate as mailing lists, not security groups, to sync with the Google domain. You can also set the Google domain to allow users to create and manage their own groups. User-managed groups aren't affected by synchronization.
  • Consider name and password guidelines—Ensure that your directory doesn't contain unsupported characters. For details, see the naming guidelines
  • (Optional) Populate a password attribute—If you’re using a password field in GCDS, create a custom attribute in your LDAP directory for your Google domain users. Populate the attribute with a password setting. For details, see How will you synchronize passwords?
  • (Optional) Set naming conventions—Identify any email naming conventions that you want to use. Update users to fit the conventions. 

Step 5: Mark Google users in the LDAP directory

To simplify your LDAP queries, you should mark all your Google users in the LDAP directory before you set up a synchronization. You can mark your Google users using:

  • Descriptive name—In your LDAP directory, mark the users that you plan to sync with a descriptive name, such as GoogleUsers. Then, after your sync is set up and running correctly, you can mark active Google users with a different name, such as GoogleActiveUsers.
  • Organizational unit—In your LDAP directory, set up an organizational unit and move your Google users into it. Set up GCDS to only sync users from the organizational unit. 
  • Group—Create a new group in the LDAP directory and add your Google users as members of the group. Set up GCDS to only read members from the group.
  • Custom attribute—Create a custom attribute for your Google users and set the attribute for new users. Set up GCDS to only read users that have the attribute.

Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu
Search Help Center