Set up your sync with Configuration Manager

Configuration Manager walks you through the process of creating and testing a configuration file for Google Cloud Directory Sync (GCDS). You open Configuration Manager from the Start menu.

Open all   |   Close all

Step 1: Prepare your servers

Specify your general settings

On the General Settings page, specify what you intend to synchronize from your LDAP server. Select one or more from:

  • Organizational units
  • User accounts
  • Groups
  • User profiles
  • Custom schemas
  • Shared contacts
  • Calendar resources
  • Licenses
Define your Google domain settings

On the Google Domain Configuration page of Configuration Manager, you define your Google domain connection information.

Connection Settings tab

  • Primary Domain Name—Enter the primary domain name of your Google Account. Make sure you’ve verified your primary domain. For details, go to Verify your domain for Google Workspace.
  • Replace domain names in LDAP email addresses—If you check the box, LDAP email addresses are changed to match the domain listed in the Alternate email domain field.
  • Alternate email domain—Specify another domain to import your users into a different domain (for example, a test domain). Otherwise, leave this field blank.
  • Authorize access using OAuth—To authorize GCDS:
    1. Click Authorize Nowand thenSign In.
    2. Sign in to your Google Account with your super administrator username and password.

      If authentication succeeds, you'll get a message confirming the verification code was received. GCDS is now authorized.

Proxy Settings tab

Provide any network proxy settings here. If your server doesn't require a proxy to connect to the internet, skip this tab.

Exclusion Rules tab

Use exclusion rules to preserve information in your Google domain that isn’t in your LDAP system (for example, users that are only in the Google Account). For details, go to Use exclusion rules with GCDS.

Define your LDAP settings

On the LDAP Configuration page of Configuration Manager, enter your LDAP server information.

If you selected OpenLDAP or Active Directory as your LDAP server, click Use defaults at the bottom of every configuration page to set up the sync with default parameters. You can then customize them to your needs.

After you set up the LDAP authentication settings, click Test Connection. Configuration Manager connects to your LDAP server and attempts to sign in to verify the settings you entered.

Related topics

Step 2: Decide what to synchronize

Determine the categories to synchronize

On the General Settings page, check the box next to the type of object you want to synchronize.

Set the sync rules for your organizational units

On the Org Units page of Configuration Manager, specify how your LDAP organizational units correspond to organizational units in your Google Account.

Click the tabs and enter the following information:

  • LDAP Org Unit mappings—Add mappings for top-level organizational units in your LDAP server. GCDS maps child organizations on your LDAP directory server to Google organizational units with the same name.

    Note: The forward slash character "/" isn't allowed in names of organizational units. In the Admin console, you'll get an error message. If you use GCDS, Google Workspace Admin SDK, or School Directory Sync to create or rename an organizational unit, the "/" is replaced by an underscore "_".

    If you check the Do not create or delete Google Organizations box, organizational units will not be synchronized from the LDAP server. You can still specify which users go in which organizational units in the user account rules.

    For details on how to add an organizational unit mapping rule, go to Organizational unit mappings.

  • Search rules—Specify the organizational units to import and synchronize using LDAP query notation.
    You can modify your search rule with an exclusion rule. For details, go to Organizational unit search rules.
  • Exclusion Rules—If you have any organizational units on your LDAP directory server that match your search rules but you don't want them added to your Google Account, add an exclusion rule. Learn more about using exclusion rules.

Example: An LDAP directory server has an organizational hierarchy split between two office locations: Melbourne and Detroit. The Google org unit hierarchy matches the same hierarchy:

First rule:

  • (LDAP) DN: ou=melbourne,dc=ad,dc=example,dc=com
  • (Google domain) Name: Melbourne

Second rule:

  • (LDAP) DN: ou=detroit,dc=ad,dc=example,dc=com
  • (Google domain) Name: Detroit
Define your user list

On the User Accounts page of Configuration Manager, specify how GCDS generates your LDAP user list. Click the tabs and enter the following information:

  • User attributes—Specify the attributes GCDS uses when generating the LDAP user list.
  • Additional users attributes—Enter optional LDAP attributes (such as passwords) that you can use to import additional information about your Google users.
  • Search rules—Specify what users to import and synchronize using LDAP query notation. You can modify your search rule with an exclusion rule. For details, go to Use LDAP search rules to synchronize data.
  • User exclusion rules—If you have users on your LDAP directory server that match your search rules but should not be added to your Google Account, add an exclusion rule. For details, go to Use exclusion rules with GCDS.

Related topics

Sync mailing lists with Google Groups

On the Groups page of Configuration Manager, sync the mailing lists on your LDAP server to Google Groups.

Click the tabs and enter the following information:

  • Search rules—Specify what groups to import and synchronize using LDAP query notation.
    You can modify your search rule with an exclusion rule. For details, go to Group search rules.
  • Exclusion rules—If you have any entries in your LDAP server that match a mail-list rule, but should not be treated as a mailing list (for example, internal mailing lists that do not have outside email addresses), list them here. Learn more about using exclusion rules.

Groups are created with the following default permissions:

  • Who can view: All members of the group
  • Listing: Do not list this group.
  • Who can view members: Only managers and owners can view the group members list.
  • Who can join: Anyone in the organization can ask to join.
  • Allow External Members: Disallowed.
  • Who can post messages: Anyone from your domain can post.
  • Allow posting from the web: Allowed.
  • Who can invite new members: Managers and owners only
  • Message moderation: No moderation.
  • Message archival: Archive is turned off.
  • Allow External Email: Disallowed

The default permissions of the Group can't be changed, however, you can change the Group settings once the Group is created.

Are you using Groups for Business?

If your domain is using the Groups for Business service, users can create their own groups in your domain.
Your users, rather than the administrator, control these groups. Learn more about Ways to create groups.

GCDS automatically detects these groups and won't delete or overwrite them. If a group with the same email address exists in your LDAP directory, GCDS applies non-destructive changes (such as updating the name, description, and adding new members) but it won't delete members you’ve delete from the LDAP directory. The only way to change a group from user-created to an Admin console group is to delete it then recreate it using the Admin console.

Related topics

Decide what user profile information to synchronize

On the User Profiles page of Configuration Manager, specify the profile information for users. User profiles contain extended information about users, such as a phone number and job title.

Click the tabs and enter the following information:

  • User profile attributes—Specify the attributes GCDS uses when generating the LDAP user profiles.
  • Search rules—Specify what user profile information to import and synchronize using LDAP query notation.
    You can modify your search rule with an exclusion rule.
  • Exclusion rules—If you have any user profiles on your LDAP directory server that match your search rules but should not be added to your Google Account, add an exclusion rule. For details, go to using exclusion rules.

Related topic

Sync custom user fields using a custom schema

You can synchronize additional user information from your LDAP directory to your Google Account with a custom schema. You can use multiple schemas to sync different types of user data, for example, a specific organizational unit such as Finance. You set up custom schemas and decide which users to apply them to on the Custom Schemas page of Configuration Manager.

For information on limits that apply to custom schemas, read this JSON request information.

Step 1: Decide which users to apply the custom schema to

You can apply a custom schema to:

  • All users defined by the LDAP search rules and settings in your User Accounts configuration.
  • A different set of users defined by custom LDAP search and exclusion rules.

To apply a new custom schema to all user accounts:

  1. Click Add Schema.
  2. Select Apply to all user accounts.

To apply a new custom schema to a specific set of users:

  1. Click Add Schema.
  2. Select Define custom search rules.
  3. On the Search Rules tab, click Add search rule and enter the following information:
    • Scope
    • Rule
    • Base distinguished name (DN)

    Learn more about using LDAP queries with GCDS.

  4. Click OK.
  5. On the Exclusion Rules tab, click Add Exclusion rule and enter the following information:
    • Exclude Type
    • Match Type
    • Exclusion Rule

    Learn more about using exclusion rules with GCDS.

  6. Click OK.

Step 2: Add a custom schema to the user group

You can use predefined fields for your schema or create your own schema fields.

To use predefined schema fields:

  1. In the Schema Name field, enter a name and click Add Field.
  2. From the Schema Field list, choose a predefined schema field.
  3. In the Google Field Name field, verify that the prepopulated name is correct.
  4. Verify that the Indexed and Read Access Type settings are correct.
  5. Click OK.
  6. (Optional) Repeat these steps for any additional predefined fields you want to include in your schema.
  7. (Optional) Add any custom schema fields (view steps below).
  8. Click OK to add the custom schema to your configuration.

To create your own schema fields:

  1. In the Schema Name field, enter a name and click Add Field.
  2. From the Schema Field list, select Custom.
  3. In the LDAP Field Name field, enter the name of the LDAP field you want to sync to your Google Account.
  4. In the LDAP Field Type list, select the type of field.
  5. In the Google Field Name field, enter the name of the Google field you want to map the LDAP data to.
  6. In the Google Field Type list, select the type of field.
  7. (Optional) To index the data, check the Indexed box.
  8. In the Read Access Type list, select how to control read access to the field data defined in the schema fields.
  9. Click OK.
  10. (Optional) To add additional schema fields, repeat the steps.
  11. Click OK to add the custom schema to your configuration.
Sync your shared contacts

On the Shared Contacts page of Configuration Manager, set up the synchronization for Shared Contacts. Shared Contacts corresponds to a Global Address List (GAL) in Microsoft Active Directory and other directory servers. Shared contacts contain information, such as name, email address, phone number, and title.

Important:

  • Only sync shared contacts from outside of your domain. Synchronizing contacts inside your domain can result in duplicate entries in your GAL.
  • It can take up to 24 hours for shared contacts to synchronize and appear.

Click the tabs and enter the following information:

  • Shared contact attributes—Specify the attributes GCDS uses when generating the LDAP shared contacts.
  • Search rules—Specify what contacts to import and synchronize using LDAP query notation.
    You can modify your search rule with an exclusion rule.
  • Exclusion rules—If you have any contacts on your LDAP directory server that match your search rules but should not be added to your Google Account, add an exclusion rule. For details, go to using exclusion rules.

Related topics

Define your calendar settings

On the Calendar Resources page of Configuration Manager, specify how GCDS generates your LDAP calendar resources.

Click the tabs and enter the following information:

  • Calendar resource attribute—Specify the attributes GCDS uses when generating the LDAP calendar resources.

    Important: GCDS doesn't sync a Calendar Resource attribute that contains spaces or characters such as the at sign (@) or colon (:). For more information on calendar resource naming, go to Resource naming recommendations for Google Calendar.

  • Search rules—Specify what calendar resources to import and synchronize using LDAP query notation.
    You can modify your search rule with an exclusion rule.
  • Exclusion rules—If you have any calendar resources on your LDAP directory server that match your search rules but should not be added to your Google Account, add an exclusion rule. For details, go to using exclusion rules.

Related topic

Sync licenses

On the Licenses page of Configuration Manager, set up the GCDS license synchronization for users in your Google Account. If a user leaves your organization, you can also archive them and assign an Archived User (AU) license. For more information, go to How AU licensing works.

Before you begin

You should manage user license assignment using a single method. Either assign and manage product licenses through the Google Admin console or use the GCDS license synchronization feature described here. For details on how to use the Admin console to manage licenses, go to Assign, remove, and reassign licenses.

Assign the email address attribute

  1. Under Email address attribute, specify what attribute GCDS uses as the email address mapping between the LDAP user account and the Google Account user.
  2. Proceed to Assign licenses or Archive or unarchive licensed users (below).

Assign licenses

  1. Click Add Rule.
  2. In the LDAP Query field, using LDAP query notation, specify the users on your LDAP directory that should be assigned the license.

    Important: You can only set up one license rule for each license SKU.

  3. Select Assign licenses to Google domain users.
  4. Click the License list and select the license SKU.

    Go to Supported product IDs and SKUs below.

  5. (Optional) Check the Remove this license from Google domain users that don’t match this rule box to remove licenses from Google users that don’t match the rule.
    Note: If your LDAP configuration isn’t correctly defined, checking the box might result in removing licenses for a large set of users in your account. Check your configuration before using this feature.
  6. Select one of the following options:
    • OK—Adds the rule and returns to the LDAP license rules screen
    • Apply—Adds the rule and begins another LDAP license rule
    • Cancel—Cancels the rule
    • Test LDAP query—Tests the validity of the LDAP license query

Archive or unarchive licensed users

  1. Click Add Rule.
  2. In the LDAP Query field, using LDAP query notation, specify the users on your LDAP directory that should be archived.

    Important: You can only set up one license rule for each license SKU.

  3. Choose an option:
    • Archive Google domain users—Assign the user an Archived User (AU) license.
    • Unarchive Google domain users—Assign the user a license to the Google Workspace edition that matches their AU license.
  4. Select one of the following options:
    • OK—Adds the rule and returns to the LDAP license rules screen
    • Apply—Adds the rule and begins another LDAP license rule
    • Cancel—Cancels the rule
    • Test LDAP query—Tests the validity of the LDAP license query

Supported product IDs and SKUs

Product ID SKUs
G Suite or Google Workspace
  • Business Starter, Standard, and Plus
  • Enterprise
  • Education and Enterprise for Education
  • G Suite Basic and Business
  • Essentials
Google Drive storage
  • Google Drive storage 20 GB
  • Google Drive storage 50 GB
  • Google Drive storage 200 GB
  • Google Drive storage 400 GB
  • Google Drive storage 1 TB
  • Google Drive storage 2 TB
  • Google Drive storage 4 TB
  • Google Drive storage 8 TB
  • Google Drive storage 16 TB
Cloud Identity
  • Cloud Identity
  • Cloud Identity Premium
Google Vault
  • Google Vault
  • Google Vault - Former Employee
Google Voice
  • Google Voice Starter
  • Google Voice Standard
  • Google Voice Premier

 

Important:

If you want to assign a Cloud Identity license:

Step 3: Check your sync

Set your notifications

On the Notifications page of Configuration Manager, specify details about your mail server and email notifications following a sync.

Every time a synchronization occurs, GCDS sends out a notification to one or more email addresses that you specify in the To addresses field. Click Add after each address is entered.

Click Test Notification to send a test message to the addresses you listed.

Related topic

Set the parameters for logging

On the Logging page of Configuration Manager, specify the file name and the level of detail required in the log.

Related topic

Verify your synchronization settings

On the Sync page in Configuration Manager, click Simulate sync to test your settings.

Running a simulated synchronization doesn't update or change your LDAP server data or your user accounts in your Google Account. The simulation is only for checking and testing purposes. During simulation, Configuration Manager:

  • Connects to your Google Account and generate a list of users, groups, and shared contacts.
  • Connects to your LDAP directory server and generate a list of users, groups, and shared contacts.
  • Generates a list of differences.
  • Logs all events.

If the simulation is successful, Configuration Manager generates a Proposed Change Report that shows what changes would have been made to your Google user list.

When you’re confident that the configuration is correct, click Sync & apply changes to start a manual synchronization.


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.
Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue