Set up your sync with Configuration Manager

Configuration Manager walks you through the process of creating and testing a configuration file for Google Cloud Directory Sync (GCDS). You open Configuration Manager from the Start menu.

GCDS used to be known as Google Apps Directory Sync (GADS). 

Open all   |   Close all

Step 1: Prepare your servers

Specify your general settings

On the General Settings page, specify what you intend to synchronize from your LDAP server. Select one or more from:

  • Organizational units
  • User accounts
  • Groups
  • User profiles
  • Custom schemas
  • Shared contacts
  • Calendar resources
  • Licenses
Define your Google domain settings

On the Google Domain Configuration page of Configuration Manager, you define your Google domain connection information.

Provide any necessary network proxy settings here. If your server doesn't require a proxy to connect to the Internet, skip this tab.

Use exclusion rules to preserve information in your Google domain that isn’t in your LDAP system (for example, users that are only in the Google domain). See more about using exclusion rules.

  1. Connection settings tab:
    • Primary Domain Name: Enter the primary domain name of your G Suite account.
    • Replace domain names in LDAP email addresses: Leaving this box unchecked will keep the same domain for the  LDAP username. If you check the box, all LDAP email addresses are changed to match the domain listed in the Primary Domain Name field. For example, if the original LDAP username is you@your-company.com and your G Suite domain is company.com, checking this box will create user you@company.com.
    • Alternate email domain: Specify another domain if you're using a pilot domain or if you need to  import a full list of users into a different domain. Otherwise, leave this field blank.
    • Authorize access using OAuth:
      1. Click Authorize Now to set up your authorization settings and create a verification code.
      2. Click Sign In to open a browser window and sign into your Google domain with your super administrator username and password.
      3. Copy the token that is displayed.
      4. Enter the token in the Verification Code field and click Validate.
  2. Proxy settings tab: 
    Provide any necessary network proxy settings here. If your server doesn't require a proxy to connect to the Internet, skip this tab.
  3. Exclusion rules tab: 
    Use exclusion rules to preserve information in your Google domain that isn’t in your LDAP system (for example, users that are only in the Google domain). See more about using exclusion rules.
Define your LDAP settings

On the LDAP Configuration page of Configuration Manager, enter your LDAP server information. 

For detail on the LDAP Configuration fields in Configuration Manager, see LDAP connection settings.

If you selected OpenLDAP or Active Directory® as your LDAP server, click Use defaults at the bottom of every configuration page to quickly set up the sync with default parameter. You can then customize them to your needs.

After you configure the LDAP authentication settings, click Test Connection. Configuration Manager connects to your LDAP server and attempts to sign in to verify the settings you entered.

Step 2: Decide what to synchronize

Determine the categories to synchronize

On the General Settings page, check the box next to the type of object you want to synchronize.

Set the sync rules for your organizational units

On the Org Units page of Configuration Manager, specify how your LDAP organizational units correspond to organizational units in your Google domain.

Click the tabs and enter the following information:

  • LDAP Org Unit mappings: Add mappings for top-level organizational units in your LDAP server. GCDS maps suborganizations on your LDAP directory server to Google organizational units with the same name.

    If you check the Do not create or delete Google Organizations box, organizational units will not be synchronized from the LDAP server. You can still specify which users go in which organizational units in the user account rules.

    For details on how to add an organizational unit mapping rule, see Organizational unit mappings

  • Search rules: Specify the organizational units to import and synchronize using  LDAP query notation. You can modify your search rule with an exclusion rule. For more information, see Organizational unit search rules.
  • Exclusion Rules: If you have any organizational units on your LDAP directory server that match your search rules but you don't want them added to your Google domain, add an exclusion rule. See more about using exclusion rules.

Example: An LDAP directory server has an organizational hierarchy split between two office locations: Melbourne and Detroit. The Google org unit hierarchy will match the same hierarchy:

  • First Rule:
    • (LDAP) DN: ou=melbourne,dc=ad,dc=example,dc=com
    • (Google domain) Name: Melbourne
  • Second Rule:
    • (LDAP) DN: ou=detroit,dc=ad,dc=example,dc=com
    • (Google domain) Name: Detroit
Define your user list

On the User Accounts page of Configuration Manager, specify how GCDS generates your LDAP user list.

Important: You must add at least one user rule before running a synchronization. Even if you use GCDS to only sync groups, a user rule must be specified, or the synchronization will fail.

Click the tabs and enter the following information:

  • User attributes: Specify what attributes GCDS will use when generating the LDAP user list.
  • Additional users attributes: Enter optional LDAP attributes (such as passwords) that you can use to import additional information about your Google users.
  • Search rules: Specify what users to import and synchronize using LDAP query notation. You can modify your search rule with an exclusion rule.
  • User exclusion rules: If you have users on your LDAP directory server that match your search rules but you don't want them added to your Google domain, add an exclusion rule. See more about using exclusion rules.

Sync users to a secondary domain

If you have added a secondary domain, you can use GCDS to sync users within that domain. To sync a user to your secondary domain, ensure the user's mail address in your LDAP server matches your secondary domain name. GCDS creates the user in the Google domain using your secondary domain as the primary mail address.

If you don't want to make changes to your existing LDAP mail attribute, you'll need to assign another attribute to sync your secondary domain users' email addresses.
For more information

For detail on the User Accounts fields in Configuration Manager, see User attribute settings. You can also find more information on Additional user attributes and User search rules.

Sync mailing lists with Google Groups

On the Groups page of Configuration Manager, sync the mailing lists on your LDAP server to Google Groups. 

Click the tabs and enter the following information:

  • Search rules: Specify what groups to import and synchronize using LDAP query notation. You can modify your search rule with an exclusion rule. For more information, see Group search rules
  • Exclusion rules: If you have any entries in your LDAP server that match a mail-list rule, but should not be treated as a mailing list (for example, internal mailing lists that do not have outside email addresses), list them here. See more about using exclusion rules.

Groups are created with the following default permissions:

  • Who can view: All members of the group
  • Listing: Do not list this group.
  • Who can view members: Only managers and owners can view the group members list.
  • Who can join: Anyone in the organization can ask to join.
  • Allow External Members: Disallowed.
  • Who can post messages: Anyone from your domain can post.
  • Allow posting from the web: Allowed.
  • Who can invite new members: Managers and owners only
  • Message moderation: No moderation.
  • Message archival: Archive is disabled.
  • Allow External Email: Disallowed
The default permissions of the Group can't be changed, however, you can change the Group settings once the Group is created.

For detail on the Group search rules fields in Configuration Manager, see Group search rules and Group search rules (Prefix-Suffix).

Are you using Groups for Business?

If your domain is using the Groups for Business service, users can create their own groups in your domain. These groups are controlled by your users, rather than by the administrator. 

GCDS automatically detects these groups and won't delete or overwrite them. If a group with the same email address exists in your LDAP directory, GCDS applies non-destructive changes, such as updating the name, description, and adding new members, but it won't remove members you have removed from the LDAP directory. The only way to change a group from user-created to an Admin console group is to delete it then recreate it via the Admin console.

Decide what user profile information to synchronize

On the User Profiles page of Configuration Manager, specify the profile information for users. User profiles contain extended information about users, such as a phone number and job title.

Click the tabs and enter the following information:

  • User profile attributes: Specify what attributes GCDS will use when generating the LDAP user profiles.
  • Search rules: Specify what user profile information to import and synchronize using LDAP query notation. You can modify your search rule with an exclusion rule.
  • Exclusion rules: If you have any user profiles on your LDAP directory server that match your search rules but should not be added to your Google domain, add an exclusion rule. See more about using exclusion rules.

For detail on the User Accounts fields in Configuration Manager, see User profile attributes.

Sync custom user fields using a custom schema

You can synchronize additional user information from your LDAP directory to your Google domain with a custom schema. You can use multiple schemas that will sync different types of user data, for example, a specific organizational unit such as Finance. You set up custom schemas and decide which users to apply them to on the Custom Schemas page of Configuration Manager.

Click here for information on limits that apply to custom schemas. 

Step 1: Decide which users to apply the custom schema to

You can apply a custom schema to:

  • All users defined by the LDAP search rules and settings in your User Accounts configuration.
  • A different set of users defined by custom LDAP search and exclusion rules.

To apply a new custom schema to all user accounts:

  1. Click Add Schema.
  2. Select Apply to all user accounts.

To apply a new custom schema to a specific set of users:

  1. Click Add Schema.
  2. Select Define custom search rules.
  3. On the Search Rules tab, click Add search rule and enter the following information:
    • Scope
    • Rule
    • Base distinguished name (DN)

    Learn more about using LDAP queries with GCDS.

  4. Click OK.
  5. On the Exclusion Rules tab, click Add Exclusion rule and enter the following information: 
    • Exclude Type
    • Match Type
    • Exclusion Rule

    Learn more about using exclusion rules with GCDS.

  6. Click OK.

Step 2: Add a custom schema to the user group

You can use predefined fields for your schema or create your own schema fields.

To use predefined schema fields:

  1. In the Schema Name field, enter a name and click Add Field.
  2. From the Schema Field drop-down list, choose a predefined schema field.
  3. In the Google Field Name field, verify that the prepopulated name is correct.
  4. Verify that the Indexed and Read Access Type settings are correct.
  5. Click OK.
  6. (Optional) Repeat these steps for any additional predefined fields you want to include in your schema.
  7. (Optional) Add any custom schema fields (see steps below). 
  8. Click OK to add the custom schema to your configuration.

To create your own schema fields:

  1. In the Schema Name field, enter a name and click Add Field
  2. From the Schema Field drop-down list, select Custom.
  3. In the LDAP Field Name field, enter the name of the LDAP field you want to sync to your Google domain.
  4. In the LDAP Field Type drop-down list, select the type of field.
  5. In the Google Field Name field, enter the name of the Google field you want to map the LDAP data to.
  6. In the Google Field Type drop-down list, select the type of field. 
  7. (Optional) To index the data, check the Indexed box.
  8. In the Read Access Type list, select how to control read access to the field data defined in the schema fields.
  9. Click OK.
  10. (Optional) To add additional schema fields, repeat the steps.
  11. Click OK to add the custom schema to your configuration.
Sync your shared contacts

On the Shared Contacts page of Configuration Manager, set up the synchronization for Shared Contacts.

Shared contacts contains information about contacts, such as name, email address, phone number, and title. Shared Contacts corresponds to a Global Address List (GAL) in Microsoft Active Directory and other directory servers.

Important: It can take up to 24 hours for Shared Contacts to synchronize and appear.

Click the tabs and enter the following information:

  • Shared contact attributes: Specify what attributes GCDS will use when generating the LDAP shared contacts.
  • Search rules: Specify what contacts to import and synchronize using LDAP query notation. You can modify your search rule with an exclusion rule.
  • Exclusion rules: If you have any contacts on your LDAP directory server that match your search rules but should not be added to your Google domain, add an exclusion rule. See more about using exclusion rules.

Learn more about troubleshooting issues with syncing Shared Contacts.

For detail on the Shared Contacts fields in Configuration Manager, see Shared Contacts attributes.
Define your calendar settings

On the Calendar Resources page of Configuration Manager, specify how GCDS generates your LDAP calendar resources.

Click the tabs and enter the following information:

  • Calendar resource attribute: Specify what attributes GCDS will use when generating the LDAP calendar resources.

    Important: GCDS doesn't sync a Calendar Resource attribute that contains spaces or characters such as the at sign (@) or colon (:). For more information on calendar resource naming, see Developing a naming strategy for your calendar resources

  • Search rules: Specify what calendar resources to import and synchronize using LDAP query notation. You can modify your search rule with an exclusion rule.
  • Exclusion rules: If you have any calendar resources on your LDAP directory server that match your search rules but should not be added to your Google domain, add an exclusion rule. See more about using exclusion rules.

For detail on the Calendar Resources fields in Configuration Manager, see Calendar Resource attributes.

Sync licenses

On the Licenses page of Configuration Manager, set up the GCDS license synchronization for users in your Google domain.

If you have purchased different product SKUs for your domain you may want to disable auto license assignment and use the GCDS license synchronization feature to manage licenses for your Google user accounts. You should manage user license assignment using a single method. Either assign and manage product licenses through the Admin console or use the GCDS license synchronization feature described here.

Click the tabs to enter the following information:

  • Email address attribute: Specify what attribute GCDS will use as the email address mapping between the LDAP user account and the Google domain user.
  • To add an LDAP license rule: 
    • Click Add Rule
    • From the License drop-down menu select the license SKU you want to apply to the users specified by the license rule.
    • In the LDAP query field, specify what users on LDAP directory should be assigned the license using LDAP query notationImportant: You can only configure one license rule per license SKU

      Example: (&(objectclass=user)(objectcategory=person)(memberof=CN=Group_1,CN=Users,DC=Domain,DC=com)) 

    • (Optional) Check the Remove this license from Google domain users that don’t match this rule box to remove licenses for all users in the Google domain that don’t match this license rule.

      Note: If you check this box, GCDS removes the license for all users in the Google domain that don’t match the rule. If your LDAP configuration isn’t properly defined this may result in removing licenses for a large set of users in the domain. Ensure your configuration is correctly defined before using this feature.

    • Select one of the following options:
      • OK to add the rule and return to the LDAP license rules screen
      • Apply to add the rule and begin another LDAP license rule
      • Cancel to cancel the rule
      • Test LDAP query to test the validity of the LDAP license query. 

Supported product IDs and SKUs

Product ID SKUs
Google-Apps

Google-Apps-For-Business
Google-Apps-For-Postini
Google-Apps-Lite
Google-Apps-Unlimited

Google-Drive-storage Google-Drive-storage-20GB
Google-Drive-storage-50GB
Google-Drive-storage-200B
Google-Drive-storage-40GB
Google-Drive-storage-1TB
Google-Drive-storage-2TB
Google-Drive-storage-4TB
Google-Drive-storage-8TB
Google-Drive-storage-16TB
Google-Vault Google-Vault
Google-Vault-Former-Employee

 

Important

If you want to assign a Cloud Identity license:

Step 3: Check your sync

Set your notifications

On the Notifications page of Configuration Manager, specify details about your mail server and who should be notified by email following a sync.

Every time a synchronization occurs, GCDS sends out a notification to one or more email addresses that you specify in the To addresses field. Click Add after each address is entered.

Click Test Notification to send a test message to the addresses you listed.

For detail on the Notifications fields in Configuration Manager, see Notification attributes.

Set the parameters for logging

On the Logging page of Configuration Manager, specify the file name and the level of detail required in the log.

For detail on the Logging fields in Configuration Manager, see Logging settings.

Verify your synchronization settings

On the Sync page in Configuration Manager, click Simulate sync to test your settings.

During simulation, Configuration Manager will:

  • Connect to your Google domain and generate a list of users, groups, and shared contacts.
  • Connect to your LDAP directory server and generate a list of users, groups, and shared contacts.
  • Generate a list of differences.
  • Log all events.

If the simulation is successful, Configuration Manager generates a Proposed Change Report that shows what changes would have been made to your Google user list.

Note: Running a simulated synchronization doesn't update or change your LDAP server data or your user accounts in your Google domain. The simulation is only for checking and testing purposes.

When you are confident that the configuration is correct, click Sync & apply changes to initiate the synchronization.

Was this article helpful?
How can we improve it?