Do you have a user that has certain attributes in the Google domain and different attributes in the LDAP server? And do you want to maintain those different attributes? How do you ensure that Google Cloud Directory Sync (GCDS) doesn't alter the attributes of the user during a synchronization?
The answer is that you need two exclusion rules: one for your LDAP data and one for your Google domain data.
Here’s a scenario where the user firstname.lastname@example.org exists on the LDAP server and the Google domain:
- Google domain—Fred is in the "Test Users" suborganization.
- LDAP server—Fred is in the "Finance" organizational unit.
- Search rule—There is a search rule that puts users from the "Finance" organizational unit in the "Finance" suborganization in the Google domain.
- Exclusion rule—There is a Google organization complete path exclusion rule for "/Test Users" of which Fred is a member.
When the sync runs, GCDS ignores the existence of email@example.com on the Google domain because of the "/Test Users" exclusion rule, but sees him in the LDAP results so tries to create him. Because Fred already exists in the Google domain, he's not re-created, but other actions (that depend on Fred being created successfully) occur. For example, Fred is placed in the "Finance" suborganization.
To avoid this scenario, you need to exclude the user from the LDAP server and the Google domain. You do this by adding an LDAP exclusion rule to work with the Google domain exclusion rule. In this example, you would add the LDAP exclusion rule by email address. For details, see Use exclusion rules with GCDS.
Best approach for multiple users
When using GCDS, it's easier to manage multiple users using the LDAP server.
If you have a group of users that you want to put in a special organizational unit on your Google domain, regardless of their organizational unit in the LDAP server, the best approach is to:
- Mark these users in the LDAP server with a custom attribute or with group membership.
- Create a search rule that only matches these users. For example, use a rule that searches for the custom attribute or the group membership name ("memberOf=groupname").
- Map the search rule to the special organizational unit.
Note: You can put the search rule in a higher priority so that if the users are found in more than one search rule, they are sent to the special organizational unit.