Install and prepare GCDS

Prepare your LDAP directory

You can deploy Google Cloud Directory Sync (GCDS) more quickly if you identify your LDAP resources beforehand. First, you need to install an LDAP browser then collect an inventory of your LDAP data.

Install a third-party LDAP browser

To collect information about your LDAP server structure, download and install an LDAP browser, such as Softerra™ LDAP Administrator or JXplorer.

Important: Google doesn't provide support for third-party LDAP browsers.

Collect an inventory of your LDAP data

Identify LDAP server resources

Collect the following information:

  • The host name or IP address of your LDAP server.
    Note: GCDS can only synchronize with one LDAP server.
  • Your network access, proxy servers, and outbound connections.
  • The name and password of an account on your LDAP server with "read" and "execute" permissions. If you want to limit the users and groups you have to synchronize, you can set up an LDAP administrator with limited permissions on your directory server.
  • Confirmation that your LDAP server directory meets all server requirements.

GCDS can only get data from a single LDAP directory. If you have multiple LDAP directories, consider the following:

  • Consolidate: Consolidate your LDAP server data into a single directory. 
  • Test the global catalog: If you have multiple Microsoft® Active Directory® domains, a global catalog may help with your synchronization. If you want to use a global catalog, test the catalog thoroughly before relying on it.
Research your LDAP server structure

Use an LDAP browser to collect the following information about your LDAP server and structure:

  • LDAP base distinguished name (DN): GCDS uses the base DN as the top level for all LDAP queries. Because GCDS searches for users and groups from the base DN, specify a base DN on a level that includes the users and groups you want to synchronize.

    Note: You can use multiple base DNs in a configuration. You can specify a separate base DN for each synchronization rule.

  • LDAP structure information: Identify the LDAP attributes that have important information, such as groups that contain users and other resources you want to sync. Look through your LDAP directory structure using an LDAP browser and examine some sample users and other resources to identify the important LDAP attributes.
  • Identify security groups: Identify security groups that you may want to synchronize. Each group must have a unique email address defined on the group object in order to synchronize correctly.
Clean up your LDAP server data
  • Identify users: Get a list of your organization's current users and identify which ones you want to synchronize with the Google domain.
  • Identify mail-enabled groups: Identify mail-enabled groups that operate as mailing lists, not security groups, to synchronize with the Google domain. You can also set the Google domain to allow users to create and manage their own groups. User-managed groups aren't affected by synchronization.
  • Consider name and password guidelines to ensure that your directory doesn't contain unsupported characters. For details, see Username and group name guidelines
  • (Optional) Populate a password attribute: If you are using a password field in GCDS, create a custom attribute in your LDAP directory for your Google domain users and populate the attribute with a password setting. For details, see Synchronizing passwords.
  • (Optional) Set naming conventions: Identify any email naming conventions you want to use and update users to fit the conventions. 
Mark Google users in the LDAP directory

To simplify your LDAP queries, you should mark all your Google domain users in the LDAP directory before you set up a synchronization.

You can mark the users you plan to synchronize with a descriptive name, such as GoogleUsers. Then, after synchronizations are set up and running correctly, you can mark active Google domain users with a different name, such as GoogleActiveUsers.

You can mark your Google domain users in an LDAP directory by:

  • Organizational unit: Set up an organizational unit and move your Google domain users into the unit.
  • Group: Create a new group in the LDAP directory and add your Google domain users as members of the group.
  • Custom attribute: Create a custom attribute for your users and set the attribute for new users.

You can then configure GCDS to synchronize based on organizational unit, group, or custom attribute, and activate new Google domain users by updating your LDAP server.

Was this helpful?
How can we improve it?