Learn more about Configuration Manager options

Examples: ad.example.com or 10.22.1.1.

If your LDAP server allows anonymous connections and you want to connect anonymously, select Anonymous. Otherwise, select Simple.

If your LDAP directory server requires a domain for login, include the domain for the user as well.

Example: admin1

Example: swordfishX23

Enter the Base DN for the subtree to synchronize. Don't include spaces between commas. If you don’t know the Base DN, consult your LDAP administrator or check an LDAP browser.

If you leave this field empty, all domains in the forest are searched.  

Example: ou=test,ou=sales,ou=melbourne,dc=ad,dc=example,dc=com

The SMTP mail server to use for notifications. GCDS uses this mail server as a relay host.

Example:

• 127.0.0.1
• smtp.gmail.com

Check the box to use SMTP with TLS (required with smtp.gmail.com).

Supported TLS versions—1.0, 1.1, and 1.2 (supported from GCDS version 4.7.6 onwards).

Example:

User Name: admin@solarmora.com
Password: ud6rTYX2!

Example: admin@solarmora.com

Notifications are sent to all addresses on this list. To enter multiple addresses, click Add after each email address. 

Depending on your mail server settings, GCDS might be unable to send mail to external email addresses. Click Test Notification to confirm that mail is sent correctly.

Example: dirsync-admins@solarmora.com

Limit the information sent in notification emails. You can choose to exclude: 

• Extra details–For example, a list of excluded objects.
• Warnings–Warning messages.
• Errors–Error messages.

Example: sync.log

Optionally, you can add the placeholder #{timestamp} to the file name. The placeholder is replaced by an actual timestamp (for example, 20190501-104023) in each execution before the log file is saved to the disk.

If you use the placeholder, GCDS generates a new log file every time it runs a simulation or sync. If a log is older than 30 days, it's deleted.

Example: sync.#{timestamp}.log

If you run a sync at 2019-05-01 at 10:40:23am, the log file is named sync.20190501-104023.log.

• FATAL—Only logs fatal operations.
• ERROR—Logs errors and fatal operations.
• WARN—Logs warnings, errors and fatal operations.
• INFO—Logs summary information.
• DEBUG— Logs more extensive details.
• TRACE—Logs all possible details.

The level of detail is cumulative; each level includes all the details of previous levels (for example, ERROR includes all ERROR and FATAL messages).

The maximum size of the log file, in megabytes.

The maximum log size includes all the backup files plus the current file. The number of back up files is determined by the log file count attribute (see below).

To calculate the maximum size of a log file use <maximum log size> / (<log file count> + 1)

Example: 500

The number of log files that are saved to the disk. The default is 10.

Note: This setting can only be modified in the configuration file within the tag <logFileCount>.

Example: mail

Enable invalid characters replacement

Invalid character replacement

If you check the box, spaces and invalid characters in an email address are replaced with the string specified in the Invalid character replacement field.

If you check the box but leave the field blank, GCDS removes spaces and invalid characters from the address.

Example

The email address on the LDAP server is
x y\z@example.com.

• If you add an underscore (_) to the Invalid characters replacement field, GCDS converts the email address to x_y_z@example.com.
• If the Invalid characters replacement field is left blank, GCDS converts the email address to xyz@example.com.

Example: objectGUID

Example: proxyAddresses

If this field is empty, any alias associated with the Google user profile isn't removed following a GCDS sync. The alias can still be managed in Google.
 

• Delete only active Google Domain users not found in LDAP (suspended users are retained)—Active users in your Google domain are deleted if they aren't in your LDAP server. Suspended users are not altered. This is the default setting.
• Delete active and suspended users not found in LDAP—All users in your Google domain are deleted if they aren't in your LDAP server, including suspended users.
• Suspend Google users not found in LDAP, instead of deleting them—Active users in your Google domain are suspended if they are not in your LDAP server. Suspended users are not altered.
• Don’t suspend or delete Google domain users not found in LDAP—No users in your Google domain are suspended or deleted (unless you have a search rule that’s set to suspend users).

You can also use multiple attributes for the given name. If you use multiple attributes, place each attribute field name in square brackets.

Examples: givenName,[cn]-[ou]

Examples: surname, [cn]-[ou]

An LDAP attribute that contains each user's display name.

Example: displayName

• Only for new users—When GCDS creates a new user, it synchronizes that user's password. Existing passwords are not synced. Use this option if you want your users to manage their passwords in your Google domain. Note: If you are using a temporary or onetime password for new users, use this option.
• For new and existing users—GCDS always synchronizes all user passwords. Existing passwords in your Google domain are overwritten. This option is appropriate for managing user passwords on your LDAP server, but it is less efficient than the Only changed passwords option.
• Only changed passwords—GCDS only synchronizes passwords that changed since your previous sync. We recommend this option if you want to manage user passwords on your LDAP server. Note: If you use this option, you must also provide a value for the Password timestamp attribute.

Example: CustomPassword1

Example: PasswordChangedTime

• SHA1–Passwords in your LDAP directory server hashed using unsalted SHA1.
• MD5–Passwords in your LDAP directory server hashed using unsalted MD5.
• Base64–Passwords in your LDAP directory server use Base64 encoding.
• Plaintext–Passwords in your LDAP directory server are not encrypted. GCDS reads the password attribute as unencrypted text, then immediately encrypts the password using SHA1 encryption and synchronizes with your Google domain.

Note: GCDS never saves, logs, or transmits passwords unencrypted. If passwords in your LDAP directory are Base64-encoded or plaintext, GCDS immediately encrypts them with SHA1 encryption and synchronizes them with your Google domain. Simulate sync and full sync logs show the password as a SHA1 password.

Use this field only if you also specify a Password Attribute. If you leave the Password Attribute field blank, when you save and reload, the configuration resets to the default of SHA1. Note that some password encoding formats aren't supported. Check your LDAP directory server with a directory browser to find or change your password encryption.

By default, Active Directory and HCL Domino directory servers don't store passwords in any of these formats. Consider setting a default password for new users and requiring users to change passwords on first login.

If checked, new users must change passwords the first time they sign in to their Google account. Doing so allows you to set an initial password, either from an LDAP attribute or by specifying a default password for new users that the user must change the first time they sign in.

Use this option if you set an attribute in one of these fields:

• In the Password Attribute field, but it's only a temporary or one-time password
• In the Default password for new users field

Note: If your users don't manage their Google password, for example, if you're using Password Sync or single sign-on (SSO), we recommend that you don't turn on this setting.

Important: If you enter a default password here, be sure to check the Force new users to change password box so that users don't retain the default password.

Example: swordfishX2!

Specify which Google organizational unit should contain users that match this rule. If the organizational unit specified doesn't exist, GCDS adds the users to the root level organizational unit in your Google domain.

This option only appears if you have enabled Organizational Units on the General Settings page.

Options include:

• Org Unit based on Org Units Mappings and DN—Add users to the unit that maps to the user’s DN on your LDAP server. This is based on your Org Mappings and shows in the LDAP User Sync list as [derived].
• Org Unit Name—Add all users that match this rule to the same Google organizational unit. Specify the organizational unit in the text field.

  Example: Users

• Org Unit name defined by this LDAP attribute—Add each user to the organizational unit with the name specified in an attribute on your LDAP directory server. Enter the attribute in the text field.

  Example: extensionAttribute11

Suspend all users that match this LDAP user sync rule.

Notes:

• GCDS suspends or deletes users that already exist in your Google domain based on the GCDS User Account Deletion/Suspending policy setting.
• Users in your domain that you have suspended are reenabled by GCDS if they match a search rule that doesn't have suspend users enabled.
• This feature is commonly used to stage user accounts in the domain. The new users are created in a suspended state. If you are importing active users with this rule, leave this unchecked.

LDAP attribute that contains the ID of the building where the user works. This can also be set to "Working remotely" if the user doesn't have a primary office building.

Admins can also let users set their own locations. For details, see Let users change their photo and profile information.

LDAP attribute that contains user’s additional email addresses. You can enter more than one value into this field.

Note: This field only supports the synchronization of addresses using the Work email type.

LDAP attribute that contains the user’s website URLs. You can enter more than one value into this field.

Valid URLs are checked against the following regular expression:

^((((https?|ftps?|gopher|telnet|nntp)://)|(mailto:|news:))(%[0-9A-Fa-f]{2}|[-()_.!~*';/?:@&=+$,A-Za-z0-9])+)([).!';/?:,][[:blank:]])?$]]>

Invalid URLs are skipped.

LDAP attribute that contains the user’s recovery phone. The phone number must be in the E.164 international standard, starting with the plus sign (+).

The attribute can be set as an expression by using square brackets. This allows you to include additional characters.

Examples:

• +[ldap-attribute]—Prepends a plus sign to the value of the attribute.
• +41[ldap-attribute]—Prepends a plus sign and country code to the value of the attribute.

Example: ou=melbourne,dc=ad,dc=example,dc=com

Example: Melbourne

Example: description

If checked, Google organizational units are retained during a sync, even when the organizational units aren't in your LDAP server.

If checked, Google organizational units aren’t synced with your LDAP server, but users can be added to existing Google organizational units as specified in your user search rules.

If unchecked, GCDS adds and deletes organizational units in your Google domain to match the organization structure in your LDAP server, according to the mappings you specify.

Example: mail

Example: extendedAttribute6

Example: mail

The LDAP object class value that represents your groups. It’s used to separate members who are users from members who are groups (also known as "nested groups").

Example: group

Check this box if your search rule is for Exchange dynamic distribution groups.

Note: If you manually enable DYNAMIC_GROUPS in your XML config file but leave out INDEPENDENT_GROUP_SYNC, make sure your dynamic group search rule is the first group search rule. See Troubleshoot common GCDS issues for details.

GCDS looks up the email addresses of these members and adds each member to the group in your Google domain.

If Dynamic (Query-based) group is checked, this should reference an LDAP attribute that contains the filter that GCDS uses to determine group membership.

Example (non-dynamic): memberUID

Example (dynamic): msExchDynamicDLFilter

Example: memberaddress

Dynamic groups in Exchange and GCDS work by noting membership as a LDAP query. The Member reference attribute contains the LDAP query and Dynamic group Base DN attribute points to the base DN where the query will be executed.

Example: Attributes and values of a dynamic group in LDAP

dn: CN=MyDynamicGroup,OU=Groups,DC=altostrat,DC=com
mail: mydynamicgroup@altostrat.com
member:
msExchDynamicDLFilter: (|(CN=bob.smith,OU=Users,DC=altostrat,DC=com)| (CN=jane.doe,OU=Users,DC=altostrat,DC=com)) msExchDynamicDLBaseDN: OU=Users,DC=altostrat,DC=com

Note that the attribute usually used to list group members ("member") is blank, and instead there's an LDAP query that will find bob.smith and jane.doe, looking in the "Users" organizational unit.

GCDS looks up the email addresses of each mailing list’s owner and adds that address as the group owner in your Google domain.

Example: ownerUID

GCDS adds that address as the group owner in the Google domain.

Example: owner

One or more attributes that contain alias addresses. The addresses are added in Google Groups as aliases of the group's primary email address. 

If the field is empty, no aliases associated with the group are removed. You can also manage aliases in in your organization's Google account.

Example: proxyAddresses

Example: groups-

Example: -list

Enable invalid characters replacement

Invalid character replacement

If you check the box, spaces and invalid characters in an email address are replaced with the string specified in the Invalid character replacement field.

If you check the box but leave the field blank, GCDS removes spaces and invalid characters from the address.

Example

The email address on the LDAP server is
x y\z@example.com.

• If you add an underscore (_) to the Invalid characters replacement field, GCDS converts the email address to x_y_z@example.com.
• If the Invalid characters replacement field is left blank, GCDS converts the email address to xyz@example.com.

Examples: dn or contactReferenceNumber

Example: [prefix] - [givenName] [sn] [suffix]

Important: Calendar Resources won't sync an LDAP attribute which contains spaces or illegal characters such as the at sign (@) or colon (:).

For more information on calendar resource naming, see Resource naming recommendations.

The LDAP attribute that contains the name for the calendar resource. 

Example:

[building]-[floor]-Boardroom-[roomnumber]

In this example, building, floor, and roomnumber are LDAP attributes. Following a sync, these attributes are replaced by the appropriate value, for example, Main-12-Boardroom-23.

Example: [description]

Important: Calendar Resources does not sync an LDAP attribute which contains spaces or illegal characters such as the at sign (@) or colon (:).