Manage LDAP clients

This feature is available with G Suite Enterprise, Cloud Identity Premium, G Suite Enterprise for Education, and G Suite for Education.

You can manage your LDAP clients from the LDAP page in the Google Admin console. For example, you can view your list of LDAP clients, turn the service on or off for individual clients, add new LDAP clients, and more. 

For instructions and details, see the sections below.

View your list of LDAP clients

To view your list of LDAP clients:

  1. Sign in to the Google Admin console at admin.google.com.
    Be sure to sign in using your administrator account, and not your personal Gmail account.
  2. Go to Apps > LDAP.

Turn service status on or off

You’ll need to turn the service status to On after adding the LDAP client and connecting the LDAP client to the Secure LDAP service. Later, if you need to disable the LDAP client, you can turn the service status to Off from the same page.

To turn service status on or off:

  1. From the Google Admin console, go to Apps > LDAP.
  2. Click one of the clients in the list.
  3. Click the Service Status card.
  4. Click On or Off.
  5. Click SAVE.

Important:

  • If you suspect a security issue with an LDAP client (for example, if certificates or credentials are compromised), keep in mind that turning the service status to Off will not disable the client immediately. It may take up to 24 hours before the client is disabled. To immediately disable the client, you'll need to delete all of the certificates associated with the client. For instructions, see Delete certificates
  • At a later time, if you want to enable the client, you'll need to generate new certificates and upload the certificates to your LDAP client.

Edit access permissions

You can edit the access permissions of clients you have added to the Secure LDAP service.

  1. From the Google Admin console, go to Apps > LDAP.
  2. Click one of the clients in the list.
  3. Click the Access permissions card.
    This opens the access permission settings for that client.

For more details about changing the settings for access permissions, see Configure access permissions.

Generate certificate authentication

You need to generate certificates to authenticate the LDAP client with Secure LDAP service.

You may need to generate multiple certificates if you have instances of your LDAP client in several locations (for example, in the Dallas data center, the Paris data center, and so on). For security reasons, you may want to generate one certificate for each instance of the same LDAP client. You can also edit the certificate name in the Admin console to make it more clear. For example, you can name the first certificate Atlassian-Jira-Dallas, name another certificate Atlassian-Jira-Paris, name another certificate Atlassian-Jira-Cluster-A, and so on.

  1. From the Google Admin console, go to Apps > LDAP.
  2. Click one of the clients in the list.
  3. Click the Authentication card.
  4. Click GENERATE NEW CERTIFICATE.
  5. Click the download icon to download the certificate.
  6. Upload the certificate to your client, and configure the application.
    Depending on the type of LDAP client, configuration might require LDAP access credentials (see Generate access credentials). 

Generate access credentials

In addition to generating certificate authentication, you'll need to generate access credentials if the application you’re configuring requires itin other words, if a username and password are required in addition to a certificate to connect to the Secure LDAP service.

Note:

  • The Google Secure LDAP service uses certificate authentication for authentication, so generating access credentials is not the primary way to authenticate the LDAP client. However, some LDAP clients (for example, Atlassian Jira) require you to type in the admin username and password to complete the LDAP authentication configuration. Use access credentials only if required by the client.
  • After generating the access credentials, be sure to copy the credentials (username and password) before configuring your clientthe password is not saved in the Google Admin console. Therefore, if you need this password later to configure an additional LDAP clientfor example, another Atlassian server you’re adding lateryou’ll need to generate a new credential and use it in the new Atlassian server.

To generate access credentials:

  1. From the Google Admin console, go to Apps > LDAP.
  2. Click one of the clients in the list.
  3. Click the Authentication card.
  4. Click GENERATE NEW CREDENTIALS.
    You can then view the password in the Access credentials window. 

    Note: You'll need the password when connecting your client to the Secure LDAP service, so be sure to copy the password from this window. Click the eye icon to make the password visible.

After generating the credentials you need, see Configuration instructions for specific LDAP clients for details that are specific to your LDAP client.

Rename certificates

When generating a certificate, a name for that certificate is automatically generated. You have the option to rename the certificate so that it’s more descriptive.

  1. From the Google Admin console, go to Apps > LDAP.
  2. Click one of the clients in the list.
  3. Click the Authentication card.
  4. On the far right, click the pencil icon for the certificate, and select RENAME CERTIFICATE.
  5. In the Rename certificate window, type a new name.
  6. Click SAVE.

Delete certificates

Deleting certificates renders them inoperative. If you suspect a security issue with an LDAP client (for example, if certificates or credentials are compromised), you can immediately disable the client by deleting all of the digital certificates associated with it. This is the best way to disable a client immediately, since it may take up to 24 hours for a client to be disabled after turning the service status to Off

At a later time, if you want to enable the client, you'll need to generate new certificates and upload the certificates to your LDAP client.

To delete certificates:

  1. From the Google Admin console, go to Apps > LDAP.
  2. Click one of the clients in the list.
  3. Click the Authentication card.
  4. On the far right, click the pencil icon for the certificate, and select DELETE CERTIFICATE.
  5. Click DELETE.

Delete access credentials

Deleting access credentials renders them inoperative.

To delete access credentials:

  1. From the Google Admin console, go to Apps > LDAP.
  2. Click one of the clients in the list.
  3. Click the Authentication card.
  4. In the Access credentials card, click the delete icon for any of the access credentials.
  5. Click DELETE.

Delete LDAP clients

You can delete an LDAP client from the details page for that client.

  1. From the Google Admin console, go to Apps > LDAP.
  2. Click one of the clients in the list.
  3. Click MORE > DELETE CLIENT.
  4. To confirm, click DELETE.
Was this helpful?
How can we improve it?