Sync groups & users to a Cloud Search identity source

With Google Cloud Search, you can map user identities from third-party repositories using an identity source. You can store user identities in an LDAP server, such as Microsoft Active Directory. To synchronize Active Directory groups with your identity source, you can use Google Cloud Directory Sync (GCDS).

If the user IDs you're syncing are defined by specific search and exclusion rules, then apply a custom schema to a set of users by using, for example, the sector they work in or job type.

• Before you begin
• Step 1: Turn on identity mapped groups
• Step 2: Add groups to sync
• Step 3: Sync user identities to Cloud Search
• Step 4: Schedule your sync
• Step 5: Select encoding scheme for binary attributes (Optional)

Before you begin

• To synchronize data from Active Directory, go to About Google Cloud Directory Sync.
• To create a service account and its credentials, go to Create access credentials.
• To create an identity source in the Google Admin console, copy the identity source ID. For details, go to Map user identities in Cloud Search.
• Review information to use search rules, exclusion rules, and custom schemas.

Step 1: Turn on identity mapped groups

1. If you're using Linux, from the directory of the installation, enter the following command:
   $ ./config-manager --enable-img
2. If you're using Windows, enter the following command:
   > config-manager.exe --enable-im
3. Open Configuration Manager.
4. On the side, click General Settings.
5. Check the Identity Mapped Groups box.

Step 2: Add groups to sync

1. Open Configuration Manager.
2. On the side, click Identity Mapped Groups.
3. On the Search Rules tab, enter the:
   • Identity source ID (include the "identitysources/" part of the string)
   • Service account file path
4. Click Add Search Rule and enter the following information:
   • Scope
   • Rule
   • Group attributes
5. ​Click OK.
6. (Optional) To test your search rule after you add it, click Test LDAP Query.
7. (Optional) To add more search rules, follow the steps in Add an LDAP search rule. For details, go to Use LDAP search rules to synchronize data.
8. (Optional) To exclude groups, click the Exclusion Rules tab and add a new exclusion rule. For details, go to Omit data with exclusion rules & queries.

Step 3: Sync user identities to Cloud Search

1. Open Configuration Manager.
2. On the side, click Custom schemas.
3. Click Add schema and select an option:
   • Define custom search rules
   • User rules defined in "User Accounts"
     For more details, go to Sync custom user fields using a custom schema.
4. For Schema name, enter the identity source ID. Do not include "identitysources" in the ID.
5. For LDAP field name, enter the LDAP field that contains your external user identifier. For example, this is the identifier used in Cloud Search user principals, using the form:
   identitysources/source-id/users/user-identifier
6. For Google field name, enter the identity source ID appended with _identifier. For example, if the identity source ID is 02b392ce3a23, enter 02b392ce3a23_identifier.
7. For Google field type, select String and ensure that the field has only one value.
8. Click OK.

For more information, go to Create an identity source.

Step 4: Schedule your sync

1. Open Configuration Manager.
2. On the side, click Sync.

You can simulate a sync or save your settings. Learn how to automate your synchronization process.

Step 5: Select encoding scheme for binary attributes (Optional)

If you use a binary attribute (such as objectSid or objectGUID) as the group name or user email attribute, it's converted to a string using an encoding scheme. The supported encoding schemes are:

• Base 16 (Hexadecimal)
• Base 32
• Base 32 Hex
• Base 64
• Base 64 URL

If you want to change the encoding scheme, manually update the configuration file:

1. Open the configuration file and under the <identityMappedGroupBasicConfig> tag, find <binaryAttributesEncoding>.

2. If <binaryAttributesEncoding> isn't there, you're using the legacy base 64 encoding scheme. Under <identityMappedGroupBasicConfig>, add <binaryAttributesEncoding>.

3. Update <binaryAttributesEncoding> with one of the following options:

   • BASE16
   • BASE32_NOPADDING
   • BASE32_HEX_NOPADDING
   • BASE64_URL_NOPADDING

Example:

<identityMappedGroupBasicConfig>

    <identitySourceId>identitysources/...</identitySourceId>

    <serviceAccountFilePath>....</serviceAccountFilePath>

    <binaryAttributesEncoding>BASE16</binaryAttributesEncoding>

</identityMappedGroupBasicConfig>