Use LDAP search rules to synchronize data

You can use LDAP search rules to synchronize data from your LDAP directory server to your organization's Google Account with Google Cloud Directory Sync (GCDS). When you add a search rule, data that matches the search rule is synchronized during your next sync. Data that doesn't match the search rule is removed.

Important: Google does not debug or provide support for LDAP queries.

Basic LDAP query syntax

You can create any custom LDAP search query as long as it complies with RFC 2254.

Operator Character Use
Equals = Creates a filter that requires a field to have a given value.
Any * Represents a field that can equal anything except NULL.
Parentheses ( ) Separates filters to allow other logical operators to function.
And & Joins filters together. All conditions in the series must be true.
Or | Joins filters together. At least one condition in the series must be true.
Not ! Excludes all objects that match the filter.

Add an LDAP search rule

You can use these steps for any type of search rule.

  1. In Configuration Manager, go to User Accountsand thenSearch Rules.
  2. Click Add Search Rule.
  3. From the menu, choose an option to select the scope of the search rule:
    • Sub-tree—The search rule applies to the base DN object and all of its child objects.
    • One-level—The search rule applies to the immediate children of the base DN object but excludes the base DN itself.
    • Object—The search rule applies to only the base DN object.
  4. For Rule, enter the search rule using LDAP search query syntax.

    See examples below.

  5. For Base DN, choose an option:
    • Enter the base DN.
    • Leave the field blank to use the base DN specified on the LDAP Connection page.
  6. Click Test LDAP Query to check the results of your query.
    You can review the number of objects found and the first 5 results. Results don't include users without an email address.
  7. Click OK.
  8. (Optional) To add another search rule, repeat the steps.

Exclude data from a search rule

Exclusion rules

You can use exclusion rules to exclude data on the LDAP directory server that you don’t want synchronized to your organization's Google Account. For example, you can use an LDAP search rule to specify that all email addresses should be synchronized. Then, use an exclusion rule to ignore any email addresses that begin with a certain string.

Users search queries

With a users search query, GCDS identifies the users in your Google Account that match the results of the query. If a Google user doesn’t match the results, GCDS performs the sync as if the user doesn’t exist. 

If you're using a users search query, make sure that the LDAP search rules don't return users that exist in Google but aren't included in the query results. Otherwise, GCDS attempts to create the users during every sync.

For example, yuri@altostrat.com exists in your Google Account and is also returned in the LDAP search rule. If you use email:m* as the users search query, GCDS tries to create yuri@altostrat.com during every sync because yuri@altostrat.com doesn't start with the letter m.

For more details, go to Omit data with exclusion rules & queries.

LDAP query & search rule examples

The following examples are general and might not apply to your environment. Any line breaks are for page formatting only.

Expand section  |  Collapse all & go to top

Basic LDAP queries
  • All objects (can cause load problems)

    objectClass=*

  • All user objects that are designated "person"

    (&(objectClass=user)(objectCategory=person))

  • Only mailing lists

    (objectCategory=group)

  • Only public folders

    (objectCategory=publicfolder)

  • All user objects except those with primary email addresses that begin with "test"

    (&(&(objectClass=user)(objectCategory=person))(!(mail=test*)))

  • All user objects except those with primary email addresses that end with "test"

    (&(&(objectClass=user)(objectCategory=person))(!(mail=*test)))

  • All user objects except those with primary email addresses that contain the word "test"

    &(&(objectClass=user)(objectCategory=person))(!(mail=*test*)))

Specific LDAP queries
  • All user and alias objects that are designated "person" and part of a group or distribution list

    (|(&(objectClass=user)(objectCategory=person))(objectCategory=group))

  • All user objects that are designated as a "person", all group objects, and all contacts except those with any value defined as "extensionAttribute9"

    (&(|(|(&(objectClass=user)(objectCategory=person))(objectCategory=group))(objectClass=contact))(!(extensionAttribute9=*)))

  • All users who are members of the group identified by the DN "CN=Group,CN=Users,DC=Domain,DC=com"

    (&(objectClass=user)(objectCategory=person)(memberof=CN=Group,CN=Users,DC=Domain,DC=com))

  • Returns all users
    • For Active Directory: (&(objectCategory=person)(objectClass=user))
    • For OpenLDAP: (objectClass=inetOrgPerson)
    • For HCL Domino: (objectClass=dominoPerson)
  • All objects with the mail address designated as a "person" or "group" (in a Domino LDAP directory)

    (&(|(objectClass=dominoPerson)(objectClass=dominoGroup)(objectClass=dominoServerMailInDatabase))(mail=*))

  • All active (not disabled) users that have email addresses in Active Directory

    (&(objectCategory=person)(objectClass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

  • All users who are members of either Group_1 or Group_2 as defined by the group DN

    (&(objectClass=user)(objectCategory=person)(|(memberof=CN=Group_1,cn=Users,DC=Domain,DC=com)(memberof=CN=Group_2,cn=Users,DC=Domain,DC=com)))

  • All users who have the extensionAttribute1 value of "Engineering" or "Sales"

    (&(objectCategory=user)(|(extensionAttribute1=Engineering)(extensionAttribute1=Sales)))

  • Recursively retrieve the group members nested under the specified group in Active Directory

    (&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.11356.1.4.1941:=CN=MyGroup,CN=Users,DC=domain,DC=com))

  • Group membership query with ObjectGUID in Active Directory. The hexadecimal value of the ObjectGUID attribute of a group is 4e542fe785b1bb274e542fe785b1bb27

    (&(objectCategory=person)(objectClass=user)(memberOf=GUID=4e542fe785b1bb274e542fe785b1bb27))

Optimize your search rules

You can optimize search rules to improve sync performance.

Example 1: Return users with email address Use case
User search rule: (&(objectClass=user)(objectCategory=person)(mail=*)) Instead of using a basic rule to return all users, optimize your rule by using the mail= query.

The sync performs more efficiently as the LDAP server and GCDS don't have to process entries that would otherwise be discarded.
Example 2: Return users with email address matching string Use case
User search rule: (&(objectClass=user)(objectCategory=person)(mail=*)(!(mail=sales*))) Instead of using a basic rule and an exclusion rule to return all users with an email address that doesn't have sales, use an optimized rule with a matching string.

The LDAP server and GCDS don't have to process entries that would otherwise be discarded. And, you don't have to set up an exclusion rule or consider the priority level.

Related topic

Prepare your LDAP directory


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

true
' data-mime-type=
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
true
false
true
true
73010
false
false