Learn more about Configuration Manager options

The Google Cloud Directory Sync (GCDS) Configuration Manager walks you through the process of creating and testing a configuration file for synchronization. The information below gives you more detail on the fields in Configuration Manager that may be required when you Set up your sync with GCDS.

You open Configuration Manager from the Start menu.

Open all   |   Close all

LDAP connection settings

Specify your LDAP connection and authentication information on the LDAP Configuration page.

 
LDAP connection setting Description
Server type The type of LDAP server you are synchronizing. Make sure to select the correct type for your LDAP server. GCDS interacts with each type of server slightly differently.
Connection type Choose whether to use an encrypted connection.

If your LDAP server supports an SSL connection and you want to use it, choose LDAP + SSL. Otherwise, choose Standard LDAP.

Host name Enter the domain name or IP address of your LDAP directory server.

Examples: ad.example.com or 10.22.1.1.

Port Specify the host port. The default is 389.

Example: 389

Authentication type The authentication method for your LDAP server

If your LDAP server allows anonymous connections and you want to connect anonymously, select Anonymous. Otherwise, select Simple.

Authorized user Enter the user who will connect to the server. This user should have read and execute permissions for the whole subtree.

If your LDAP directory server requires a domain for login, include the domain for the user as well.

Example: admin1

Password Enter the password for the authorized user. Passwords are stored in an encrypted format.

Example: swordfishX23

Base DN Enter the Base DN for the subtree to synchronize. Don't include spaces between commas. If you don’t know the Base DN, consult your LDAP administrator or check an LDAP browser.

Example: ou=test,ou=sales,ou=melbourne,dc=ad,dc=example,dc=com

Organizational unit mappings

Specify how organizational units on your LDAP server correspond to organizational units in your Google domain on the Org units page.

If you add mappings for top-level organizational units, GCDS automatically maps suborganizations on your LDAP directory server to Google organizational units with the same name. Add specific rules to override suborganization mappings.

Easiest way to map your LDAP organization unit: Create a mapping from your root LDAP organizational unit (usually, your Base DN) to "/" (the root organization in the Google domain). GCDS maps users to suborganizations on your Google domain using the same organizational unit structure in your LDAP server. Note that you still need to create search rules to ensure that GCDS creates the suborganizations in the Google domain.

If the Do not create or delete Google Organizations box isn’t checked, GCDS adds and deletes organizations in your Google domain to match your LDAP organization structure according to the mappings you specify. If the box is checked, Google organizations aren’t synced with your LDAP server, but users can still be added to existing Google organizations as specified in your user search rules.

To add a new search rule, click Add Mapping.

Mapping setting Description
(LDAP) Distinguished Name (DN) The DN on your LDAP directory server to map.

Example: ou=melbourne,dc=ad,dc=example,dc=com

(Google domain) Name The name of the org unit in your Google domain to map. To add users to the default organization in your Google domain, enter a single forward slash (/).

Example: Melbourne

Example: Mapping multiple locations

An LDAP directory server has an organizational hierarchy split between two office locations: Melbourne and Detroit. Your Google domain org unit hierarchy will match the same hierarchy.

  • First Rule:
    • (LDAP) DN: ou=melbourne,dc=ad,dc=example,dc=com
    • (Google domain) Name: Melbourne
  • Second Rule:
    • (LDAP) DN: ou=detroit,dc=ad,dc=example,dc=com
    • (Google domain) Name: Detroit
Organizational unit search rules

Specify your LDAP organizational unit search rules on the Org units page.

LDAP org unit search rule setting Description
(Optional) Org Unit description attribute An LDAP attribute that contains the description of each organizational unit. If left blank, the organizational unit won't contain a description when created.

Example: description

Scope
Rule
Base DN
For details on these fields, see Use LDAP queries to collect data for a sync
User attribute settings

Specify what attributes GCDS uses when generating the LDAP user list on the User accounts page.

 
LDAP user attribute setting Description
Email address attribute The LDAP attribute that contains a user’s primary email address. The default is mail.

Example: mail

(Optional) Unique identifier attribute An LDAP attribute that contains a unique identifier for every user entity on your LDAP server. Providing this value enables GCDS to detect when users are renamed on your LDAP server and sync those changes to your Google domain. This field is optional, but recommended.

Example: objectGUID

(Optional) Alias address attributes One or more attributes used to hold alias addresses. These addresses will be added to your Google domain as nicknames of the primary address listed in the email address attribute field. Enter the address and click Add

Example: proxyAddresses

If this field is empty, any alias associated with the G Suite user profile isn't removed following a GCDS sync. The alias can still be managed in G Suite.
 

Google domain users deletion/suspension policy Options for deleting and suspending users. Select one of the following options:
  • Delete only active Google Domain users not found in LDAP (suspended users are retained): Active users in your Google domain will be deleted if they aren't in your LDAP server,. Suspended users are not altered. This is the default setting.
  • Delete active and suspended users not found in LDAP: All users in your Google domain will be deleted if they aren't in your LDAP server, including suspended users.
  • Suspend Google users not found in LDAP, instead of deleting them: Active users in your Google domain will be suspended if they are not in your LDAP server. Suspended users are not altered.
Don’t suspend or delete Google admins not found in LDAP If this is checked, GCDS is prevented from suspending or deleting administrator accounts found in your Google domain that don’t exist in the LDAP server.
Additional user attributes

Additional user attributes are optional LDAP attributes that you can use to import additional information about your Google users, including passwords. Enter your additional user attributes on the User accounts page.

 
LDAP additional user attribute setting Description
Given name attribute(s) An LDAP attribute that contains each user’s given name (in the English language, this is usually the first name) which is synchronized with the user’s name in your Google domain.

You can also use multiple attributes for the given name. If you use multiple attributes, place each attribute field name in square brackets.

Examples: givenName,[cn]-[ou]

Family name attribute(s) An LDAP attribute that contains each user’s family name (in the English language, this is usually the last name) which is synchronized with the user’s name in your Google domain.

Examples: surname, [cn]-[ou]

Synchronize passwords Indicates which passwords GCDS synchronizes. Select one of the following:
  • Only for new users: When GCDS creates a new user, it synchronizes that user’s password. Existing passwords are not synced. Use this option if you want your users to manage their passwords in your Google domain. Note: If you are using a temporary or onetime password for new users, use this option.
  • For new and existing users: GCDS always synchronizes all user passwords. Existing passwords in your Google domain are overwritten. This option is appropriate for managing user passwords on your LDAP server, but it is less efficient than the Only changed passwords option.
  • Only changed passwords: GCDS only synchronizes passwords that have changed since your previous sync. This option is recommended if you want to manage user passwords on your LDAP server. Note: If you use this option, you must also provide a value for the Password timestamp attribute.
Password attribute An LDAP attribute that contains each user’s password. If you set this attribute, your users’ Google passwords will be synchronized to match their LDAP passwords. This field supports string or binary attributes.

Example: CustomPassword1

Password timestamp attribute An LDAP attribute that contains a timestamp indicating the last time a user’s password was changed. Your LDAP server updates this attribute whenever a user changes their password. Use this field only if you select the Only changed passwords option for the Synchronize Passwords field. This field supports string attributes.

Example: PasswordChangedTime

Password encryption method The encryption algorithm that the password attribute uses. Select one of the following:
  • SHA1: Passwords in your LDAP directory server hashed using SHA1.
  • MD5: Passwords in your LDAP directory server hashed using MD5.
  • Base64: Passwords in your LDAP directory server use Base64 encoding.
  • Plaintext: Passwords in your LDAP directory server are not encrypted. GCDS reads the password attribute as unencrypted text, then immediately encrypt the password using SHA1 encryption and synchronize with your Google domain.

Note: GCDS never saves, logs, or transmits passwords unencrypted. If passwords in your LDAP directory are Base64-encoded or plaintext, GCDS immediately encrypts them with SHA1 encryption and synchronizes them with your Google domain. Simulate sync and full sync logs show the password as a SHA1 password.

Use this field only if you also specify a Password Attribute. If you leave the Password Attribute field blank, when you save and reload the configuration resets to the default of SHA1. Note that some password encoding formats aren't supported. Check your LDAP directory server with a directory browser to find or change your password encryption.

By default, Active Directory® and IBM Domino® directory servers don't store passwords in any of these formats. Consider setting a default password for new users and requiring users to change passwords on first login.

Force new users to change password If checked, new users must change passwords the first time they log in to your Google domain. This allows you to set an initial password, either from an LDAP attribute or by specifying a default password for new users, that must be changed the first time the user logs on to their Google account.

Use this option if you are using temporary or one-time passwords.

Default password for new users Enter a text string that will serve as the default password for all new users. If the user does not have a password in the password attribute, GCDS will use the default password.

Important: If you enter a default password here, be sure to check the Force new users to change password box so that users will not keep their default password.

Example: swordfishX2!

Generated password length The length, in characters, of randomly generated passwords. A password is randomly generated for a user if their password is not found on your LDAP server and you haven't specified a default password.
User search rules

Add a User search rule on the Search rule tab of the User Accounts page. For detailed information about search rules, see Use LDAP queries to collect data for a sync.

 
LDAP user search rule fields Description
Place users in the following Google domain Org Unit

Specify which Google organizational unit should contain users that match this rule. If the organizational unit specified doesn't exist, GCDS adds the users to the root level organizational unit in your Google domain.

This option only shows if you have Synchronization of Google Organizations set to "Sync LDAP Org Units" or "Do not create or delete Google Organizations, but move users between existing Organizations" on the Org Units page.

Options include:

  • Org Unit based on Org Units Mappings and DN. This option only shows if you have Synchronization of Google Organizations set to "Sync LDAP Org Units" in General Settings. Add users to the unit that maps to the user’s DN on your LDAP server. This is based on your Org Mappings. This will show in the LDAP User Sync list as [derived].
  • Org Unit Name. Add all users that match this rule to the same Google organizational unit. Specify the organizational unit in the text field.

    Example: Users

  • Org Unit name defined by this LDAP attribute. Add each user to the organizational unit with the name specified in an attribute on your LDAP directory server. Enter the attribute in the text field.

    Example: extensionAttribute11

Suspend these users in Google domain

Suspend all users that match this LDAP user sync rule.

Note: GCDS suspends or deletes users that already exist in your Google domain based on the GCDS User Account Deletion/Suspending policy setting.

This feature is commonly used to stage user accounts in the domain. The new users are created in a suspended state. If you are importing active users with this rule, leave this unchecked.

Scope
Rule
Base DN
For details on these fields, see Use LDAP queries to collect data for a sync
Group search rules

To synchronize one or more mailing lists as Google Groups, click Add Search Rule on the Groups page and specify the fields in the dialog box.

 
LDAP additional user attribute setting Description
Scope
Rule
Base DN
For details on these fields, see Use LDAP queries to collect data for a sync
Group email address attribute An LDAP attribute that contains the email address of the group. This will become the group email address in your Google domain.

Example: mail

Group display name attribute An LDAP attribute that contains the display name of the group. This will be used in the display to describe the group, and does not need to be a valid email address.
(Optional) Group description attribute An LDAP attribute that contains the full-text description of the group. This will become the group description in your Google domain.

Example: extendedAttribute6

User email address attribute An LDAP attribute that contains users’ email addresses. This is used to retrieve the email addresses of group members and owners given their DN

Example: mail

Dynamic (Query-based) group? If checked, all mailing lists matching this search rule are treated as dynamic (query-based) groups, and the value of the Member Reference Attribute is treated as the query that specifies the membership of the group.

Check this box if your search rule is for Exchange dynamic distribution groups.

Note: If you manually enable DYNAMIC_GROUPS in your XML config file but leave out INDEPENDENT_GROUP_SYNC, make sure your dynamic group search rule is the first group search rule. See Troubleshoot common GCDS issues for details.

Member reference attribute
(Either this field or Member Literal attribute is required.)
If Dynamic (Query-based) group isn't checked, this field should reference an LDAP attribute that contains the DN of mailing list members in your LDAP directory server.

GCDS looks up the email addresses of these members and adds each member to the group in your Google domain.

If Dynamic (Query-based) group is checked, this should reference an LDAP attribute that contains the filter that GCDS uses to determine group membership.

Example (non-dynamic): memberUID

Example (dynamic): msExchDynamicDLFilter

Member literal attribute
(Either this field or Member reference attribute is required.)
An attribute that contains the full email address of mailing list members in your LDAP directory server. GCDS adds each member to the group in your Google domain.

Example: memberaddress

Dynamic group Base DN attribute If Dynamic (Query-based) group is checked, this field needs to contain an LDAP attribute that has the base DN from which the query specified in Member Reference Attribute is applied.

Dynamic groups in Exchange and GCDS work by noting membership as a LDAP query. The Member reference attribute contains the LDAP query and Dynamic group Base DN attribute points to the base DN where the query will be executed.

Example:

dn: CN=MyDynamicGroup,OU=Groups,DC=altostrat,DC=com
mail: mydynamicgroup@altostrat.com
member: msExchDynamicDLFilter: (|(CN=bob.smith,OU=Users,DC=altostrat,DC=com)| (CN=jane.doe,OU=Users,DC=altostrat,DC=com)) msExchDynamicDLBaseDN: OU=Users,DC=altostrat,DC=com

Note that the attribute usually used to list group members ("member") is blank, and instead there's an LDAP query that will find bob.smith and jane.doe, looking in the "Users" organizational unit.

(Optional) Owner reference attribute An attribute that contains the DN of each group’s owner.

GCDS looks up the email addresses of each mailing list’s owner and adds that address as the group owner in your Google domain.

Example: ownerUID

(Optional) Owner literal attribute An attribute that contains the full email address of each group’s owner.

GCDS adds that address as the group owner in the Google domain.

Example: owner

Group search rules (prefix-suffix)

You may need GCDS to add a prefix or suffix to the value your LDAP server provides for a mailing list’s email address or its members’ email addresses. Specify any prefixes or suffixes on the Prefix-Suffix tab of the Groups page.

LDAP Group rule setting Description
Group email address—prefix Text to add at the beginning of a mailing list’s email address when creating the corresponding group email address.

Example: groups-

Group email address—suffix Text to add at the end of a mailing list’s email address when creating the corresponding group email address.

Example: -list

Invalid characters replacement If a mailing list name in your LDAP server contains any spaces or other invalid characters, they will be replaced with this character string. If you leave this blank, GCDS removes spaces and concatenates group names. Learn more about invalid characters. 

Example: _ (underscore)

Member name—prefix Text to add at the beginning of each mailing list member’s email address when creating the corresponding group member email address.
Member name—suffix Text to add at the end of each mailing list member’s email address when creating the corresponding group member email address.
Owner name—prefix Text to add at the beginning of each mailing list owner’s email address when creating the corresponding group owner email address.
Owner name—suffix Text to add at the end of each mailing list owner’s email address when creating the corresponding group owner email address.
User profile attributes

Specify what attributes GCDS will use when generating the LDAP user profiles on the User Profiles page.

LDAP additional user attribute setting Description
Primary email LDAP attribute that contains a user’s primary mail address. This is usually the same as the primary mail address listed in the LDAP Users section.
Job title LDAP attribute that contains the user’s job title at their 
primary work organization. 
Company name LDAP attribute that contains the user’s company name of their 
primary work organization. 
Assistant’s DN LDAP attribute that contains the LDAP Distinguished Name (DN) of the user’s assistant.
Manager’s DN LDAP attribute that contains the LDAP DN of the user’s direct manager.
Department LDAP attribute that contains the user’s department at their 
primary work organization. 
Office location LDAP attribute that contains the user’s office location at their 
primary work organization. 
Building ID

LDAP attribute that contains the ID of the building where the user works. This can also be set to "Working remotely" if the user doesn't have a primary office building.

Admins can also let users set their own locations by going to the Admin console, navigating to Apps > G Suite > Directory > Profile editing and checking the Work location box. 

Floor Name LDAP attribute that contains the specific floor the user works on.
Employee ids LDAP attribute that contains a user’s Employee ID number.
Work phone numbers LDAP attribute that contains a user’s work phone number.
Home phone numbers LDAP attribute that contains a user’s home phone number.
Fax phone numbers LDAP attribute that contains a user’s fax number.
Mobile phone numbers LDAP attribute that contains a user’s personal mobile phone number.
Work mobile phone numbers LDAP attribute that contains a user’s work mobile phone number.
Assistant’s Number LDAP attribute that contains a work phone number for a user’s assistant.
Street Address LDAP attribute that contains the street address portion of a user’s primary work address.
P.O. Box LDAP attribute that contains the P.O. Box of a user’s primary work address.
City LDAP attribute that contains the city of a user’s primary work address.
State/Province LDAP attribute that contains the state or province of a user’s primary work address.
ZIP/Postal Code LDAP attribute that contains the ZIP code or postal code of a user’s primary work address.
Country/Region LDAP attribute that contains the country or region of a user’s primary work address.
Shared contact attributes

Specify what attributes GCDS will use when generating the LDAP shared contacts on the Shared Contacts page.

 
LDAP Shared Contact attribute Description
Sync key An LDAP attribute that contains a unique identifier for the contact. Choose an attribute present for all your contacts that isn't likely to change, and which is unique for each contact. This field becomes the ID of the contact.

Examples: dn or contactReferenceNumber

Full name The LDAP attribute or attributes that contain the contact’s full name.

Example: [prefix] - [givenName] [sn] [suffix]

Job title LDAP attribute that contains a contact’s job title. This field can be comprised of multiple concatenated fields, using the same syntax as the Full Name attribute above.
Company name LDAP attribute that contains a contact’s company name.
Assistant’s DN LDAP attribute that contains the LDAP Distinguished Name (DN) of the contact’s assistant.
Manager’s DN LDAP attribute that contains the LDAP DN of the contact’s direct manager.
Department LDAP attribute that contains a contact’s department. This field can be comprised of multiple concatenated fields, using the same syntax as the Full Name attribute above.
Office location LDAP attribute that contains a contact’s office location. This field can be comprised of multiple concatenated fields, using the same syntax as the Full Name attribute above.
Work email address LDAP attribute that contains a contact’s email address
Employee ids LDAP attribute that contains a contact’s employee ID number.
Work phone numbers LDAP attribute that contains a contact’s work phone number.
Home phone numbers LDAP attribute that contains a contact’s home phone number.
Fax numbers LDAP attribute that contains a contact’s fax number.
Mobile phone numbers LDAP attribute that contains a contact’s personal mobile phone number.
Work mobile phone numbers LDAP attribute that contains a contact’s work mobile phone number.
Assistant’s Number LDAP attribute that contains a work phone number for a contact’s assistant.
Street Address LDAP attribute that contains the street address portion of a contact’s primary work address.
P.O. Box LDAP attribute that contains the P.O. Box of a contact’s primary work address.
City LDAP attribute that contains the city of a contact’s primary work address.
State/Province LDAP attribute that contains the state or province of a contact’s primary work address.
ZIP/Postal Code LDAP attribute that contains the ZIP code or postal code of a contact’s primary work address.
Country/Region LDAP attribute that contains the country or region of a contact’s primary work address.
Calendar resource attributes

Specify the attributes you want GCDS to use when generating the LDAP calendar resources list on the Calendar Resources page.

 
LDAP Calendar attribute setting Description
Resource Id The LDAP attribute contains the ID of the calendar resource. This is a field managed on your LDAP system, which may be a custom attribute. This field must be unique.

Important: Calendar Resources won't sync an LDAP attribute which contains spaces or illegal characters such as the at sign (@) or colon (:).

For more information on calendar resource naming, see Resource naming recommendations.

(Optional) Display Name

The LDAP attribute that contains the domain name for the calendar resource.

Example: [city]-[building]-[floor]-Boardroom-[roomnumber]

(Optional) Description The LDAP attribute that contains a description of the calendar resource.

Example: [description]

(Optional) Resource Type The LDAP attribute or attributes that contain the calendar resource type.

Important: Calendar Resources does not sync an LDAP attribute which contains spaces or illegal characters such as the at sign (@) or colon (:).

(Optional) Mail The LDAP attribute that contains the calendar resource email address. This attribute is only for use with the Export Calendar resource mapping CSV export option. GCDS doesn't set the email address of Google Calendar resources.
(Optional) Export Calendar resource mapping Generates a CSV file listing LDAP calendar resources and their Google equivalents. Use a CSV file with G Suite Migration for Microsoft Exchange to migrate the contents of your Microsoft Exchange calendar resources to the appropriate Google calendar resources.
Notification attributes

Specify the settings for notifications on the Notifications page.

 
LDAP notifications setting Description
SMTP Relay Host The SMTP mail server to use for notifications. GCDS uses this mail server as a relay host.

Example: 127.0.0.1

Example: smtp.gmail.com

Use SMTP with TLS Check this box to use SMTP with TLS.
User Name  If the SMTP server you specify requires SMTP authentication, enter the user name to use here.

Example: admin@solarmora.com

Password  If the SMTP server you specify requires SMTP authentication, enter the password here. Passwords are stored in the configuration file in an encrypted format.

Example: swordfishX2!

From address Enter the From address for the notification mail. Recipients will see this address as the notification sender. 

Example: admin@solarmora.com

To addresses (recipients) Notifications will be sent to all addresses on this list. Enter any valid email address on any domain. Enter each recipient email address individually, then click the Add button.

Depending on your mail server settings, GCDS may be unable to send mail to external email addresses. Run a test notification to confirm that mail is sent properly.

Example: dirsync-admins@example.com

(Optional) Do not include in notifications You can limit the information sent in notifications. The options are: 
  • Extra details: GCDS notifications won't include extra details. If this option is unchecked, notification emails can contain potentially extraneous information. For example, it will contain a list of excluded objects, which could be extensive, depending on your set up and domain. 
  • Warnings: GCDS notifications won't include warning messages.
  • Errors: GCDS notifications won't include error messages.

Note: In order for the Google SMTP server to send notifications, you must allow less secure apps to access the authenticating Google account.

Logging settings

Specify the settings for logging on the Logging page.

 
Logging setting Description
File name Enter the directory and file name to use for the log file or click Browse to browse your file system.

Example: sync.log

Log level The level of detail of the log. Select from the following options:
  • FATAL: Only logs fatal operations.
  • ERROR: Logs errors and fatal operations.
  • WARN: Logs warnings, errors and fatal operations.
  • INFO: Logs summary information.
  • DEBUG: Logs more extensive details.
  • TRACE: Logs all possible details.

The level of detail is cumulative; each level includes all the details of previous levels (for example, ERROR includes all ERROR and FATAL messages).

Maximum log size The maximum size of the log file, in gigabytes. When this file reaches half capacity, it is saved as a backup file (which overwrites any existing backup file) and a new file is created. At any time, the total size of these two files (the log file and the backup log file) won't exceed the total maximum size.

Example: 4

Was this article helpful?
How can we improve it?