Use LDAP search rules to synchronize data

You can use LDAP search rules to synchronize data from your LDAP directory server to your Google Account with Google Cloud Directory Sync (GCDS). Data that matches the search rule is synchronized to your Google Account. Data that doesn't match the search rule is removed.

Important: Google does not debug or provide support for LDAP queries.

Basic LDAP query syntax

Operator Character Use
Equals = Creates a filter that requires a field to have a given value.
Any * Represents a field that can equal anything except NULL.
Parentheses ( ) Separates filters to allow other logical operators to function.
And & Joins filters together. All conditions in the series must be true.
Or | Joins filters together. At least one condition in the series must be true.
Not ! Excludes all objects that match the filter.

You can create any custom LDAP search query as long as it complies with RFC 2254.

How to add an LDAP search rule

You can apply the steps to any type of search rule.

  1. In Configuration Manager go to User Accountsand thenSearch Rules.
  2. Click Add Search Rule.
  3. From the menu, choose an option to select the scope of the search rule:
    • Sub-tree—Rule applies to all objects matched by the search and anything under those objects.
    • One-level—Rule applies to all objects matched by the search, and anything that's one level underneath.
    • Object—Rule only applies to objects directly matched by the search. This scope is rarely used due to load issues.
  4. In the Rule field, enter the search rule using LDAP search query syntax.

    See examples below.

  5. In the Base DN field, choose an option:
    • Enter the Base DN.
    • Leave the field blank to use the base DN specified on the LDAP Connection page.
  6. Click OK.
  7. (Optional) To add another search rule, repeat the steps.

LDAP search rules and exclusion rules

You can specify to ignore certain attributes of search rules with exclusion rules. Use exclusion rules to exclude data on the LDAP directory server that you don’t want synchronized to your Google Account. For example, you can use an LDAP query to specify that all email addresses should be synchronized and then use an exclusion rule to ignore any email addresses that begin with a certain string. For details, see Use exclusion rules with GCDS.

Examples

The following examples are general and might not apply to your environment.

Common LDAP queries
What does the query return?  LDAP search query

All objects

Note: Can cause load problems

objectClass=*
All user objects that are designated "person" (&(objectClass=user)(objectCategory=person))
Only mailing lists (objectCategory=group)
Only public folders (objectCategory=publicfolder)
All user objects except those with primary email addresses that begin with "test" (&(&(objectClass=user)(objectCategory=person))(!(mail=test*)))
All user objects except those with primary email addresses that end with "test" (&(&(objectClass=user)(objectCategory=person))(!(mail=*test)))
All user objects except those with primary email addresses that contain the word "test" (&(&(objectClass=user)(objectCategory=person))(!(mail=*test*)))
All user and alias objects that are designated "person" and part of a group or distribution list (|(&(objectClass=user)(objectCategory=person))(objectCategory=group))
All user objects that are designated as a "person", all group objects, and all contacts but excludes those with any value defined as "extensionAttribute9" (&(|(|(&(objectClass=user)(objectCategory=person))(objectCategory=group))(objectClass=contact))(!(extensionAttribute9=*)))
All users who are members of the group identified by the DN "CN=Group,OU=Users,DC=Domain,DC=com" (&(objectClass=user)(objectCategory=person)(memberof=CN=Group,CN=Users,DC=Domain,DC=com)) 
Returns all users

For Active Directory:  (&(objectCategory=person)(objectClass=user))

For OpenLDAP: (objectClass=inetOrgPerson)

For HCL Domino (formerly IBM Domino): (objectClass=dominoPerson)

All objects with the mail address designated as a "person" or "group" (in a Domino LDAP directory) (&(|(objectClass=dominoPerson)(objectClass=dominoGroup)(objectClass=dominoServerMailInDatabase))(mail=*))
All active (not disabled) users that have email addresses in Active Directory (&(objectCategory=person)(objectClass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
All users who are members of either Group_1 or Group_2 as defined by the Group DN (&(objectClass=user)(objectCategory=person)(|(memberof=CN=Group_1,cn=Users,DC=Domain,DC=com)(memberof=CN=Group_2,cn=Users,DC=Domain,DC=com)))
All users who have the extensionAttribute1 value of "Engineering" or "Sales" (&(objectCategory=user)(|(extensionAttribute1=Engineering)(extensionAttribute1=Sales)))
Optimizing your search rules

You can optimize search rules to improve sync performance.

Example 1: Match users Use case

Basic rule: Match all users

User email attribute: mail

User search rule: (&(objectClass=user)(objectCategory=person))
Returns all users, including those that don't have an email address. However, as GCDS only syncs users that have email addresses, the users that don't have email addresses are subsequently discarded.

Optimized rule: Match all users that have an email address

User search rule: (&(objectClass=user)(objectCategory=person)(mail=*))

Returns only users that have an email address. The sync performs more efficiently as the LDAP server and GCDS don’t have to process entries that would otherwise be discarded.

 

Example 2: Match users using email address Use case

Basic rule: Match all users that have an email address 

User search rule: (&(objectClass=user)(objectCategory=person)(mail=*))

User exclusion rule details:

  • Exclusion Type: User Email Address
  • Match Type: Regular Expression
  • Exclusion Rule: ^test
Returns all users that have email addresses. GCDS then uses an exclusion rule to exclude users whose email address starts with test.

Optimized rule: Match all users with email address that matches string

User search rule: (&(objectClass=user)(objectCategory=person)(mail=*)(!(mail=test*)))

Returns users with an email address that doesn't start with test. The LDAP server and GCDS don’t have to process entries that would otherwise be discarded.

Related topic

Prepare your LDAP directory server 

Google, G Suite, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.
Was this helpful?
How can we improve it?