Use LDAP search rules to synchronize data

Google Cloud Directory Sync (GCDS) uses LDAP search rules to synchronize data from your LDAP directory server to your Google domain. Data that matches the search rule is synchronized to your Google domain. Data that doesn't match the search rule is removed.

Before you begin

Important: Google does not debug or provide support for LDAP queries.

Basic LDAP query syntax
Operator Character Use
Equals = Creates a filter that requires a field to have a given value.
Any * Represents a field that can equal anything except NULL.
Parentheses ( ) Separates filters to allow other logical operators to function.
And & Joins filters together. All conditions in the series must be true.
Or | Joins filters together. At least one condition in the series must be true.
Not ! Excludes all objects that match the filter.

 

You can create any custom LDAP search query as long as it complies with RFC 2254

How to add an LDAP search rule

The example shows how to add a user search rule. You can apply the steps to any type of search rule.

  1. In Configuration Manager go to User Accounts > Search Rules.
  2. Click Add Search Rule.
  3. Select the Scope of the search rule. From the drop-down menu, select one of the following:
    • Sub-tree: The rule applies to all objects matched by the search and anything under those objects.
    • One-level: The rule applies to all objects matched by the search, and anything one level underneath.
    • Object: The rule only applies to objects directly matched by the search. The object scope is rarely used, due to load issues.
  4. Enter the user search rule. For example, to match all LDAP entities, enter objectClass=*
  5. (Optional) Select the Base DN.
  6. Click OK.
Common LDAP queries
Returns all objects, which can cause load problems:
objectClass=*

Returns all user objects that are designated “person”:
(&(objectClass=user)(objectCategory=person))

Returns only mailing lists:
(objectCategory=group)

Returns only public folders:
(objectCategory=publicfolder)

Returns all user objects except those with primary email addresses that begin with “test”:
(&(&(objectClass=user)(objectCategory=person))(!(mail=test*)))

Returns all user objects except those with primary email addresses that end with “test”:
(&(&(objectClass=user)(objectCategory=person))(!(mail=*test)))

Returns all user objects except those with primary email addresses that contain the word “test” :
(&(&(objectClass=user)(objectCategory=person))(!(mail=*test*)))

Returns all user and alias objects that are designated “person” and part of a group or distribution list:
(|(&(objectClass=user)(objectCategory=person))(objectCategory=group))

Returns all user objects that are designated as a “person”, all group objects, and all contacts but excludes those with any value defined as "extensionAttribute9":
(&(|(|(&(objectClass=user)(objectCategory=person))(objectCategory=group))(objectClass=contact))(!(extensionAttribute9=*)))

Returns all users who are members of the group identified by the DN “CN=Group,OU=Users,DC=Domain,DC=com”:
(&(objectClass=user)(objectCategory=person)(memberof=CN=Group,CN=Users,DC=Domain,DC=com)) 

Returns all users:

  • For a Microsoft® Active Directory® LDAP server: (&(objectCategory=person)(objectClass=user))
  • For a OpenLDAP™ server: (objectClass=inetOrgPerson)
  • For an IBM® Notes® Domino LDAP server: (objectClass=dominoPerson)

Searches a IBM Notes Domino LDAP for all objects with the mail address designated as a “person" or “group”:
(&(|(objectClass=dominoPerson)(objectClass=dominoGroup)(objectClass=dominoServerMailInDatabase))(mail=*))

Active Directory: Return all active (not disabled) users that have email addresses:
(&(objectCategory=person)(objectClass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Returns all users who are members of either Group_1 or Group_2 as defined by the Group DN.
(&(objectClass=user)(objectCategory=person)(|(memberof=CN=Group_1,cn=Users,DC=Domain,DC=com)(memberof=CN=Group_2,cn=Users,DC=Domain,DC=com)))

Returns all users who have the extensionAttribute1 value of “Engineering” or “Sales”
(&(objectCategory=user)(|(extensionAttribute1=Engineering)(extensionAttribute1=Sales)))

LDAP search rules and exclusion rules

You can specify that certain attributes are ignored by the search rules by using exclusion rules. Exclusion rules allow you to exclude data on the LDAP directory server that you don’t want synchronized into your Google domain. For example, you can use an LDAP query to specify that all email addresses should be synchronized, and use an exclusion rule to ignore those email addresses that begin with "test." For details, see Use exclusion rules with GCDS.

Was this article helpful?
How can we improve it?