Install and prepare GCDS

Prepare your LDAP directory

You can deploy Google Cloud Directory Sync (GCDS) more quickly if you identify your LDAP resources beforehand. First, install an LDAP browser. Then, collect an inventory of your LDAP data.

Step 1: Install a third-party LDAP browser

To collect information about your LDAP server structure, download and install an LDAP browser, such as Softerra™ LDAP Administrator or JXplorer.

Important: Google doesn't provide support for third-party LDAP browsers.

Step 2: Collect an inventory of your LDAP data

Identify LDAP server resources

Collect the following information. You’ll enter this information when you set up your LDAP configuration.

  • The host name or IP address of your LDAP server.
  • Your network access, proxy servers, and outbound connections.
  • Whether you should use standard LDAP or LDAP over SSL. For details, see Ensure authentication after Microsoft ADV190023 update.
  • The name and password of an account on your LDAP server with read and execute permissions. If you want to limit the users and groups to synchronize, you can set up an LDAP administrator with limited permissions on your directory server.
  • Confirmation that your LDAP server directory meets all server requirements. See GCDS server.

GCDS can only get data from a single LDAP directory. If you have multiple LDAP directories, consider:

  • Consolidating your LDAP server data into a single directory. 
  • Testing the global catalog thoroughly before syncing. If you have multiple Microsoft® Active Directory® domains, a global catalog might help with your synchronization. 
Research your LDAP server structure

Use an LDAP browser to collect the following information about your LDAP server and structure:

  • LDAP base distinguished name (DN)—GCDS uses the base DN as the top level for all LDAP queries. Because GCDS searches for users and groups from the base DN, specify a base DN on a level that includes the users and groups you want to synchronize.

    Note: You can use multiple base DNs in a configuration. You can specify a separate base DN for each synchronization rule.

  • LDAP structure information—Identify the LDAP attributes that have important information, such as groups that contain users and other resources you want to sync. Look through your LDAP directory structure using an LDAP browser and examine some sample users and other resources to identify the important LDAP attributes.
  • Identify security groups—Identify security groups that you may want to synchronize. Each group must have a unique email address defined on the group object in order to synchronize correctly.
Clean up your LDAP server data
  • Identify users—Get a list of your organization's current users and identify which ones you want to synchronize with the Google domain.
  • Identify mail-enabled groups—Identify mail-enabled groups that operate as mailing lists, not security groups, to synchronize with the Google domain. You can also set the Google domain to allow users to create and manage their own groups. User-managed groups aren't affected by synchronization.
  • Consider name and password guidelines—Ensure that your directory doesn't contain unsupported characters. For details, see Username and group name guidelines
  • (Optional) Populate a password attribute—If you are using a password field in GCDS, create a custom attribute in your LDAP directory for your Google domain users and populate the attribute with a password setting. For details, see Synchronizing passwords.
  • (Optional) Set naming conventions—Identify any email naming conventions you want to use and update users to fit the conventions. 
Mark Google users in the LDAP directory

To simplify your LDAP queries, you should mark all your Google domain users in the LDAP directory before you set up a synchronization.

You can mark the users you plan to synchronize with a descriptive name, such as GoogleUsers. Then, after synchronizations are set up and running correctly, you can mark active Google domain users with a different name, such as GoogleActiveUsers.

You can mark your Google domain users in an LDAP directory by:

  • Organizational unit—Set up an organizational unit and move your Google domain users into the unit.
  • Group—Create a new group in the LDAP directory and add your Google domain users as members of the group.
  • Custom attribute—Create a custom attribute for your users and set the attribute for new users.

You can then configure GCDS to synchronize based on organizational unit, group, or custom attribute, and activate new Google domain users by updating your LDAP server.

Was this helpful?
How can we improve it?