If you're using Microsoft Active Directory with enabled channel binding and LDAP signing, you must take additional steps to ensure that Google Cloud Directory Sync (GCDS) authenticates using LDAP over SSL. Otherwise, GCDS won’t connect to Active Directory and your synchronizations will fail. You need to take these steps even if you previously ran a sync using Standard LDAP authentication. For details on Microsoft advisory ADV190023, see your Microsoft documentation.
If you're already successfully using LDAP over SSL, you don't need to take any steps.
Step 1: Enable TLS in Active Directory
Note: The terms TLS and SSL are often used interchangeably.
To enable TLS in Active Directory, see your Microsoft documentation on:
- How to enable LDAP over SSL with a third-party certification authority
- Creating custom secure LDAP certificates for domain controllers with auto renewal
- Troubleshooting LDAP over SSL
Step 2: Ensure that the certificate is trusted
The Certificate Authority (CA) that signed your domain controller’s certificate must be trusted by GCDS. Most well-known internet CAs, such as Verisign, Comodo, and Let's Encrypt, are trusted. If you use these CAs, you can skip this step.
If your CA is not trusted or if you're using your own root CA, follow the steps in Troubleshoot certificate-related errors.
Step 3: Set up Configuration Manager
- Open Configuration Manager and go to the LDAP Configuration page.
- For the Connection type setting, specify LDAP+SSL.
- For the Port setting, specify 636 (if you previously used 389) or 3269 (if you previously used 3268).
- Click Test connection.
Step 4: (Optional) Troubleshoot
If your sync has slowed down, see I switched to LDAP+SSL and now my sync is slow.
If you're seeing errors, see Troubleshoot certificate-related errors.
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.