You can use LDAP search rules to synchronize data from your LDAP directory server to your Google Account with Google Cloud Directory Sync (GCDS). Data that matches the search rule is synchronized to your Google Account. Data that doesn't match the search rule is removed.
Important: Google does not debug or provide support for LDAP queries.
Basic LDAP query syntax
| Operator | Character | Use |
|---|---|---|
| Equals | = | Creates a filter that requires a field to have a given value. |
| Any | * | Represents a field that can equal anything except NULL. |
| Parentheses | ( ) | Separates filters to allow other logical operators to function. |
| And | & | Joins filters together. All conditions in the series must be true. |
| Or | | | Joins filters together. At least one condition in the series must be true. |
| Not | ! | Excludes all objects that match the filter. |
You can create any custom LDAP search query as long as it complies with RFC 2254.
How to add an LDAP search rule
You can apply the steps to any type of search rule.
- In Configuration Manager go to User Accounts
Search Rules.
- Click Add Search Rule.
- From the menu, choose an option to select the scope of the search rule:
- Sub-tree—Rule applies to all objects matched by the search and anything under those objects.
- One-level—Rule applies to all objects matched by the search, and anything that's one level underneath.
- Object—Rule only applies to objects directly matched by the search. This scope is rarely used due to load issues.
- In the Rule field, enter the search rule using LDAP search query syntax.
See examples below.
- In the Base DN field, choose an option:
- Enter the Base DN.
- Leave the field blank to use the base DN specified on the LDAP Connection page.
- Click OK.
- (Optional) To add another search rule, repeat the steps.
LDAP search rules and exclusion rules
You can specify to ignore certain attributes of search rules with exclusion rules. Use exclusion rules to exclude data on the LDAP directory server that you don’t want synchronized to your Google Account. For example, you can use an LDAP query to specify that all email addresses should be synchronized and then use an exclusion rule to ignore any email addresses that begin with a certain string. For details, see Use exclusion rules with GCDS.
Examples
The following examples are general and might not apply to your environment.
Common LDAP queries| What does the query return? | LDAP search query |
|---|---|
|
All objects Note: Can cause load problems |
objectClass=* |
| All user objects that are designated "person" | (&(objectClass=user)(objectCategory=person)) |
| Only mailing lists | (objectCategory=group) |
| Only public folders | (objectCategory=publicfolder) |
| All user objects except those with primary email addresses that begin with "test" | (&(&(objectClass=user)(objectCategory=person))(!(mail=test*))) |
| All user objects except those with primary email addresses that end with "test" | (&(&(objectClass=user)(objectCategory=person))(!(mail=*test))) |
| All user objects except those with primary email addresses that contain the word "test" | (&(&(objectClass=user)(objectCategory=person))(!(mail=*test*))) |
| All user and alias objects that are designated "person" and part of a group or distribution list | (|(&(objectClass=user)(objectCategory=person))(objectCategory=group)) |
| All user objects that are designated as a "person", all group objects, and all contacts but excludes those with any value defined as "extensionAttribute9" | (&(|(|(&(objectClass=user)(objectCategory=person))(objectCategory=group))(objectClass=contact))(!(extensionAttribute9=*))) |
| All users who are members of the group identified by the DN "CN=Group,OU=Users,DC=Domain,DC=com" | (&(objectClass=user)(objectCategory=person)(memberof=CN=Group,CN=Users,DC=Domain,DC=com)) |
| Returns all users |
For Active Directory: (&(objectCategory=person)(objectClass=user)) For OpenLDAP: (objectClass=inetOrgPerson) For HCL Domino: (objectClass=dominoPerson) |
| All objects with the mail address designated as a "person" or "group" (in a Domino LDAP directory) | (&(|(objectClass=dominoPerson)(objectClass=dominoGroup)(objectClass=dominoServerMailInDatabase))(mail=*)) |
| All active (not disabled) users that have email addresses in Active Directory | (&(objectCategory=person)(objectClass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) |
| All users who are members of either Group_1 or Group_2 as defined by the Group DN | (&(objectClass=user)(objectCategory=person)(|(memberof=CN=Group_1,cn=Users,DC=Domain,DC=com)(memberof=CN=Group_2,cn=Users,DC=Domain,DC=com))) |
| All users who have the extensionAttribute1 value of "Engineering" or "Sales" | (&(objectCategory=user)(|(extensionAttribute1=Engineering)(extensionAttribute1=Sales))) |
You can optimize search rules to improve sync performance.
| Example 1: Match users | Use case |
|---|---|
|
Basic rule: Match all users User email attribute: mail User search rule: (&(objectClass=user)(objectCategory=person)) |
Returns all users, including those that don't have an email address. However, as GCDS only syncs users that have email addresses, the users that don't have email addresses are subsequently discarded. |
|
Optimized rule: Match all users that have an email address User search rule: (&(objectClass=user)(objectCategory=person)(mail=*)) |
Returns only users that have an email address. The sync performs more efficiently as the LDAP server and GCDS don’t have to process entries that would otherwise be discarded. |
| Example 2: Match users using email address | Use case |
|---|---|
|
Basic rule: Match all users that have an email address User search rule: (&(objectClass=user)(objectCategory=person)(mail=*)) User exclusion rule details:
|
Returns all users that have email addresses. GCDS then uses an exclusion rule to exclude users whose email address starts with test. |
|
Optimized rule: Match all users with email address that matches string User search rule: (&(objectClass=user)(objectCategory=person)(mail=*)(!(mail=test*))) |
Returns users with an email address that doesn't start with test. The LDAP server and GCDS don’t have to process entries that would otherwise be discarded. |
Related topic
Prepare your LDAP directory server
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.
