Set up your sync with Configuration Manager

Configuration Manager walks you through the process of creating and testing a configuration file for Google Cloud Directory Sync (GCDS). You open Configuration Manager from the Start menu.

Step 1: Prepare your servers

Expand section  |  Collapse all & go to top

Specify your general settings

On the General Settings page, specify what you intend to synchronize from your LDAP server. Select one or more from:

  • Organizational units
  • User accounts
  • Groups
  • User profiles
  • Custom schemas
  • Shared contacts
  • Calendar resources
  • Licenses
Define your Google domain settings

On the Google Domain Configuration page of Configuration Manager, you define your Google domain connection information.

Connection Settings tab

  • Primary domain name—Enter the primary domain name of your Google Account. Make sure you’ve verified your primary domain. For details, go to Verify your domain for Google Workspace.
  • Replace domain names in LDAP email addresses—If you check the box, GCDS changes LDAP email addresses to match the domain listed in the Alternate email domain field. If Alternate email domain is blank, GCDS changes LDAP email addresses to match the domain in the Primary domain name field. 
  • Alternate email domain—Specify an alternate domain for your users (for example, a test domain). Otherwise, leave this field blank.
  • Authorize access using OAuth—To authorize GCDS:
    1. Click Authorize Nowand thenSign In.
    2. Sign in to your Google Account with your super administrator username and password.

      If authentication succeeds, you get a message confirming the verification code was received. GCDS is now authorized.

Proxy Settings tab

Provide any network proxy settings here. If your server doesn't require a proxy to connect to the internet, skip this tab.

Exclusion Rules tab

Use exclusion rules to preserve information in your Google domain that isn’t in your LDAP system (for example, users that are only in the Google Account). For details, go to Use exclusion rules with GCDS.

Define your LDAP settings

On the LDAP Configuration page of Configuration Manager, enter your LDAP server information.

When configuring your LDAP server we recommend using Secure LDAP to ensure that the connectivity from GCDS to your LDAP server is encrypted.

If you selected OpenLDAP or Active Directory as your LDAP server, click Use defaults at the bottom of every configuration page to set up the sync with default parameters. You can then customize them to your needs.

After you set up the LDAP authentication settings, click Test Connection. Configuration Manager connects to your LDAP server and attempts to sign in to verify the settings you entered.

Related topics

Step 2: Decide what to synchronize

Expand section  |  Collapse all & go to top

Determine the categories to synchronize
On the General Settings page, check the box next to the type of object you want to synchronize.                                                                                      
Set the sync rules for your organizational units

 On the Org Units page of Configuration Manager, specify how your LDAP organizational units correspond to organizational units in your Google Account.

Click the tabs and enter the following information:

  • LDAP Org Unit mappings—Add mappings for top-level organizational units in your LDAP server. GCDS maps child organizations on your LDAP directory server to Google organizational units with the same name.

    Note: The "/" character isn't allowed in the names of organizational units.

    If you check the Do not create or delete Google Organizations box, organizational units will not be synchronized from the LDAP server. You can still specify which users go in which organizational units in the user account rules.

    For details on how to add an organizational unit mapping rule, go to Organizational unit mappings.

  • Search rules—Specify the organizational units to import and synchronize using LDAP query notation.
    You can modify your search rule with an exclusion rule. For details, go to Organizational unit search rules.
  • Exclusion Rules—If you have any organizational units on your LDAP directory server that match your search rules but you don't want them added to your Google Account, add an exclusion rule. Learn more about using exclusion rules.

Example: An LDAP directory server has an organizational hierarchy split between two office locations: Melbourne and Detroit. The Google org unit hierarchy matches the same hierarchy:

First rule:

  • (LDAP) DN: ou=melbourne,dc=ad,dc=example,dc=com
  • (Google domain) Name: Melbourne

Second rule:

  • (LDAP) DN: ou=detroit,dc=ad,dc=example,dc=com
  • (Google domain) Name: Detroit
Define your user list

On the User Accounts page of Configuration Manager, specify how GCDS generates your LDAP user list. Click the tabs and enter the following information:

  • User attributes—Specify the attributes GCDS uses when generating the LDAP user list.
  • Additional users attributes—Enter optional LDAP attributes (such as passwords) that you can use to import additional information about your Google users.
  • Search rules—Specify what users to import and synchronize using LDAP query notation. You can modify your search rule with an exclusion rule. For details, go to Use LDAP search rules to synchronize data.
  • User exclusion rules—If you have users on your LDAP directory server that match your search rules but should not be added to your Google Account, add an exclusion rule. For details, go to Use exclusion rules with GCDS.

Related topics

Sync mailing lists with Google Groups

On the Groups page of Configuration Manager, sync the mailing lists on your LDAP server to Google Groups.

Click the tabs and enter the following information:

  • Search rules—Specify what groups to import and synchronize using LDAP query notation.
    You can modify your search rule with an exclusion rule. For details, go to Group search rules.
  • Exclusion rules—If you have any entries in your LDAP server that match a mail-list rule, but should not be treated as a mailing list (for example, internal mailing lists that do not have outside email addresses), list them here. Learn more about using exclusion rules.

Groups are created with the following default permissions:

  • Who can view: All members of the group
  • Listing: Do not list this group.
  • Who can view members: Only managers and owners can view the group members list.
  • Who can join: Anyone in the organization can ask to join.
  • Allow External Members: Disallowed.
  • Who can post messages: Anyone from your domain can post.
  • Allow posting from the web: Allowed.
  • Who can invite new members: Managers and owners only
  • Message moderation: No moderation.
  • Message archival: Archive is turned off.
  • Allow External Email: Disallowed

The default permissions of the Group can't be changed, however, you can change the Group settings once the Group is created.

Are you using Groups for Business?

If your domain is using the Groups for Business service, users can create their own groups in your domain.
Your users, rather than the administrator, control these groups. Learn more about Ways to create groups.

GCDS automatically detects these groups and won't delete or overwrite them. If a group with the same email address exists in your LDAP directory, GCDS applies non-destructive changes (such as updating the name, description, and adding new members) but it won't delete members you’ve delete from the LDAP directory. The only way to change a group from user-created to an Admin console group is to delete it then recreate it using the Admin console.

Related topics

Decide what user profile information to synchronize

On the User Profiles page of Configuration Manager, specify the profile information for users. User profiles contain extended information about users, such as a phone number and job title.

Click the tabs and enter the following information:

  • User profile attributes—Specify the attributes GCDS uses when generating the LDAP user profiles.
  • Search rules—Specify what user profile information to import and synchronize using LDAP query notation.
    You can modify your search rule with an exclusion rule.
  • Exclusion rules—If you have any user profiles on your LDAP directory server that match your search rules but should not be added to your Google Account, add an exclusion rule. For details, go to using exclusion rules.

Related topic

Sync custom user fields using a custom schema

You can synchronize additional user information from your LDAP directory to your Google Account with a custom schema. You can use multiple schemas to sync different types of user data, for example, a specific organizational unit such as Finance. You set up custom schemas and decide which users to apply them to on the Custom Schemas page of Configuration Manager.

For information on limits that apply to custom schemas, read this JSON request information.

Step 1: Decide which users to apply the custom schema to

You can apply a custom schema to:

  • All users defined by the LDAP search rules and settings in your User Accounts configuration.
  • A different set of users defined by custom LDAP search and exclusion rules.

To apply a new custom schema to all user accounts:

  1. Click Add Schema.
  2. Select Use rules defined in "User Accounts".

To apply a new custom schema to a specific set of users:

  1. Click Add Schema.
  2. Select Define custom search rules.
  3. On the Search Rules tab, click Add search rule and enter the following information:
    • Scope
    • Rule
    • Base distinguished name (DN)

    Learn more about using LDAP queries with GCDS.

  4. Click OK.
  5. On the Exclusion Rules tab, click Add Exclusion rule and enter the following information:
    • Exclude Type
    • Match Type
    • Exclusion Rule

    Learn more about using exclusion rules with GCDS.

  6. Click OK.

To apply a new custom schema without syncing user accounts:

  1. In Configuration Manager, go to General Settings and turn on User Accounts.
  2. Go to User Accounts and set the Email Address attribute.

    This attribute is used to identify the Google user that the schema should be applied to, so it's necessary to set this, even if you have created no user search rules.

  3. Go to General Settings and turn off User Accounts.
  4. Click Save.

Step 2: Add a custom schema to the user group

You can use predefined fields for your schema or create your own schema fields.

To use predefined schema fields:

  1. In the Schema Name field, enter a name and click Add Field.
  2. From the Schema Field list, choose a predefined schema field.
  3. In the Google Field Name field, verify that the prepopulated name is correct.
  4. Verify that the Indexed and Read Access Type settings are correct.
  5. Click OK.
  6. (Optional) Repeat these steps for any additional predefined fields you want to include in your schema.
  7. (Optional) Add any custom schema fields (view steps below).
  8. Click OK to add the custom schema to your configuration.

To create your own schema fields:

  1. In the Schema Name field, enter a name and click Add Field.
  2. From the Schema Field list, select Custom.
  3. In the LDAP Field Name field, enter the name of the LDAP field you want to sync to your Google Account.
  4. In the LDAP Field Type list, select the type of field.
  5. In the Google Field Name field, enter the name of the Google field you want to map the LDAP data to.
  6. In the Google Field Type list, select the type of field.
  7. (Optional) To index the data, check the Indexed box.
  8. In the Read Access Type list, select how to control read access to the field data defined in the schema fields.
  9. Click OK.
  10. (Optional) To add additional schema fields, repeat the steps.
  11. Click OK to add the custom schema to your configuration.

Step 3: Select encoding scheme for binary attributes (Optional)

If you use a binary attribute (such as objectSid or objectGUID) as a custom field value, it's converted to a string using an encoding scheme. 

To change the encoding scheme, click Encoding scheme for binary attributes and select an option: 

  • Base16 (also known as Hexadecimal)
  • Base32
  • Base32Hex
  • Base64
  • Base64URL (the default)

Note: Leading or trailing whitespaces in custom schema and field names are automatically removed. Inner whitespace characters are preserved.

Sync your shared contacts

On the Shared Contacts page of Configuration Manager, set up the synchronization for Shared Contacts. Shared Contacts corresponds to a Global Address List (GAL) in Microsoft Active Directory and other directory servers. Shared contacts contain information, such as name, email address, phone number, and title.

Important:

  • Only sync shared contacts from outside of your domain. Synchronizing contacts inside your domain can result in duplicate entries in your GAL.
  • It can take up to 24 hours for shared contacts to synchronize and appear.

Click the tabs and enter the following information:

  • Shared contact attributes—Specify the attributes GCDS uses when generating the LDAP shared contacts.
  • Search rules—Specify what contacts to import and synchronize using LDAP query notation.
    You can modify your search rule with an exclusion rule.
  • Exclusion rules—If you have any contacts on your LDAP directory server that match your search rules but should not be added to your Google Account, add an exclusion rule. For details, go to using exclusion rules.

Related topics

Define your calendar settings

On the Calendar Resources page of Configuration Manager, specify how GCDS generates your LDAP calendar resources.

Click the tabs and enter the following information:

  • Calendar resource attribute—Specify the attributes GCDS uses when generating the LDAP calendar resources.

    Important: GCDS doesn't sync a Calendar Resource attribute that contains spaces or characters such as the at sign (@) or colon (:). For more information on calendar resource naming, go to Resource naming recommendations for Google Calendar.

  • Search rules—Specify what calendar resources to import and synchronize using LDAP query notation.
    You can modify your search rule with an exclusion rule.
  • Exclusion rules—If you have any calendar resources on your LDAP directory server that match your search rules but should not be added to your Google Account, add an exclusion rule. For details, go to using exclusion rules.

Related topic

Sync licenses
On the Licenses page of Configuration Manager, set up the GCDS license synchronization for users in your Google Account. For details, go to Manage & assign licenses.

Step 3: Check your sync

Expand section  |  Collapse all & go to top

Set your notifications

On the Notifications page of Configuration Manager, specify details about your mail server and email notifications following a sync.

Every time a synchronization occurs, GCDS sends out a notification to one or more email addresses that you specify in the To addresses field. Click Add after each address is entered.

Click Test Notification to send a test message to the addresses you listed.

Related topic

Set the parameters for logging

On the Logging page of Configuration Manager, specify the file name and the level of detail required in the log.

Related topic

Verify your synchronization settings

On the Sync page in Configuration Manager, click Simulate sync to test your settings.

Running a simulated synchronization doesn't update or change your LDAP server data or your user accounts in your Google Account. The simulation is only for checking and testing your settings. During a simulation, Configuration Manager:

  • Connects to your Google Account and LDAP server and generates a list of users, groups, and shared contacts
  • Makes a list of the differences between the Google and LDAP accounts
  • Logs all events

If the simulation is successful, Configuration Manager generates a report that shows the changes that would have been made to your Google data. When you're confident that the configuration is correct, you're ready to run a synchronization. 

Related topics


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
16037906807152916520
true
Search Help Center
true
true
true
true
true
73010
false
false