Sync groups & users to a Cloud Search identity source

Google Cloud Search uses an identity source to map user identities from third-party repositories. User identities can be stored in a Lightweight Directory Access Protocol (LDAP) server, such as Microsoft Active Directory. To synchronize Active Directory groups with your identity source, you can use Google Cloud Directory Sync (GCDS).

Note: If the user IDs you're syncing are defined by specific search and exclusion rules, then apply the new custom schema to a set of users. If not, then apply it to all user accounts.

Before you begin

Step 1: Turn on identity mapped groups

  1. At the command line, enter one of the following commands:
    • Linux (from the directory of the installation): $ ./config-manager --enable-img 
    • Microsoft Windows: > config-manager.exe --enable-img
  2. Open Configuration Manager.
  3. In the left panel, click General Settings.
  4. Check the Identity Mapped Groups checkbox.

    The Identity Mapped Groups option appears in the left panel.

Step 2: Add groups to sync

  1. Open Configuration Manager.
  2. In the left panel, click Identity Mapped Groups.
  3. On the Search Rules tab, enter the following information:
    • Identity source ID (include the "identitysources/" part of the string)
    • Service account file path
  4. Click Add Search Rule and enter the following information:
    • Scope
    • Rule
    • Group attributes
  5. ​Click OK.


Step 3: Sync user identities to Cloud Search

  1. In the left panel, click Custom schemas.
  2. Click Add schema.
  3. Select either Define custom search rules or User rules defined in "User Accounts". For more details, see Sync custom user fields using a custom schema.
  4. For Schema name, enter the identity source ID. Do not include "identitysources" in the ID.
  5. For LDAP field name, enter the LDAP field that contains your external user identifier. This identifier is used in Cloud Search user principals with the form identitysources/source-id/users/user-identifier.
  6. For Google field name, enter the identity source ID appended with "_identifier". For example, if the identity source ID is 02b392ce3a23, enter 02b392ce3a23_identifier.
  7. For Google field type, select String and ensure that the field has only one value.
  8. Click OK.

For more information, go to Create an identity source.

Step 4: Schedule your sync

  1. Open Configuration Manager.
  2. In the left panel, click Sync.

You can simulate a sync or save your settings. Learn how to automate your synchronization process.

Encoding binary attributes

If you use a binary attribute (such as objectSid or objectGUID) as the group name or user email attribute, it's converted to a string using an encoding scheme. The supported encoding schemes are:

  • Base 16 (Hexadecimal)
  • Base 32
  • Base 32 Hex
  • Base 64
  • Base 64 URL

If you want to change the encoding scheme, manually update the configuration file:

  1. Open the configuration file and under the <identityMappedGroupBasicConfig> tag, find <binaryAttributesEncoding>.
  2. If <binaryAttributesEncoding> isn't there, you're using the legacy base 64 encoding scheme. Under <identityMappedGroupBasicConfig>, add <binaryAttributesEncoding>.

  3. Update <binaryAttributesEncoding> with one of the following options:

    • BASE16








Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu