Google Apps Directory Sync Administration Guide Bedienungsanleitung Seite 1

Google Apps Directory Sync Administration GuideRelease 4.0.2

10 Release 4.0.2How to Send Comments About This GuideGoogle values your feedback. Please send comments about this guide to:enterprise-apps-doc-feedbac

100 Release 4.0.2 Sample Substring Match: Defunct Mailing ListsSeveral mailing lists are no longer in use because two nearby offices combined togethe

Configuration 101Add Group Exclusion RuleClick Add Exclusion Rule to prevent an address from being treated as a mailing list, and specify the follow

102 Release 4.0.2 User Profile AttributesSpecify what attributes Google Apps Directory Sync will use when generating the LDAP user profiles.

Configuration 103The fields are as follows.LDAP Profile User Attribute DescriptionPrimary email LDAP attribute that contains a user’s primary mail a

104 Release 4.0.2 User Profile Search RulesThis shows a list of rules used when determining which user profiles to import.Note: If you store your use

Configuration 105This page shows the list of search rules. In a new configuration, this will be an empty list. To add a search rule, click the Add S

106 Release 4.0.2 Rule The search rule for user profile sync to match. This rule is a standard LDAP query, and allows sophisticated logic and complex

Configuration 107User Profile Exclusion RulesIf you have any existing user profile information in Google Apps that you do not want to synchronize, s

108 Release 4.0.2 Sample Exact Match: Opt-Out UsersTwo users have opted out of Google Apps and should not be synchronized.Add a separate rule for eac

Configuration 109Specify the following:Shared ContactsSet up synchronization for Google Apps shared contacts in the LDAP Shared Contacts page. Share

Chapter 2 Overview of Google Apps Directory Sync 11Overview of Google Apps Directory SyncChapter 2What Is Google Apps Directory Sync?Google Apps Dire

110 Release 4.0.2 You can see Shared Contacts in Google Apps by going to your Inbox and clicking the Contacts link.The Shared Contacts section config

Configuration 111Below are some of the most common reasons to import Shared Contacts:• Add groups and outside addresses to autocomplete. User addres

112 Release 4.0.2 The fields are as follows.LDAP Shared Contact Attribute DescriptionSync key An LDAP attribute that contains a unique identifier for

Configuration 113Shared Contact Search RulesThis shows a list of rules used when determining which shared contacts to import.Mobile phone numbers LD

114 Release 4.0.2 By default, shared contacts are synchronized for all contacts that match these search rules will be added to the Google Apps user l

Configuration 115LDAP Shared Contacts Search Rule FieldDescriptionScope This determines where in the LDAP directory this rule applies.Choose which o

116 Release 4.0.2 Shared Contact Exclusion RulesIf you have any contacts on your LDAP directory server that match your search rules but should not be

Configuration 117This page shows the list of exclusion filters. In a new configuration, this will be an empty list. To add exclusion filters, click

118 Release 4.0.2 Add Exclusion RuleClick Add Exclusion Rule to exclude a shared contact in your LDAP server from synchronization.Specify the followi

Configuration 119LDAP Calendar ResourcesThis section configures how Google Apps Directory Sync generates your LDAP calendar resources list for compa

12 Release 4.0.2 Technical OverviewGADS includes two connected tools: Configuration Manager and the sync-cmd synchronization command line utility. Co

120 Release 4.0.2 Calendar Resource AttributesSpecify the attributes you want Google Apps Directory Sync to use when generating the LDAP calendar res

Configuration 121Note: Calendar resource attributes use a different syntax than other Directory Sync attributes.All attributes in the LDAP Calendar

122 Release 4.0.2 By default, all calendar resources that match these search rules will be added to the Google Apps calendar resources, and all calen

Configuration 123Calendar Resource Exclusion RulesIf you have any entities on your LDAP directory server that match your calendar resource search ru

124 Release 4.0.2 Exclusion rules are based on string values and regular expressions, not LDAP settings. Note: To exclude individual calendar resourc

Configuration 125Sample Substring Match: PrintersIn this example, printers are listed as LDAP resources and would match the LDAP query given. Howeve

126 Release 4.0.2 Add Exclusion RuleClick the Add Exclusion Rule at the bottom of the page to exclude a user or organization in your LDAP server from

Configuration 127NotificationsYou can set Configuration Manager so that every time synchronization occurs, Google Apps Directory Sync will send out

128 Release 4.0.2 Consider adding a notification to send mail to your own address, and possibly the addresses of any concerned parties in your compan

Configuration 129Test NotificationClick this button to test notifications. Configuration Manager will connect to the SMTP server you specified and s

Overview of Google Apps Directory Sync 13SecurityGADS has the following security features:• It runs inside your network, on a machine you control.•

130 Release 4.0.2 Logging SettingsYou can specify the file name and level of detail of logging for Google Apps Directory Sync.Specify the following:L

Configuration 131SyncAfter you enter configuration information, use this section to verify and test your GADS settings. Configuration Manager does n

132 Release 4.0.2 Validation ResultsWhen you first go to this page, you will see Validation Results. This page will show a checklist of all the Confi

Configuration 133During simulation, Configuration Manager will:• Connect to Google Apps and generate a list of users, groups, and shared contacts.•

134 Release 4.0.2

Chapter 7 Synchronization 135SynchronizationChapter 7About SynchronizationRun the synchronization command to push your LDAP directory server user inf

136 Release 4.0.2 sync-cmdRun without any arguments, this command gives an error and directs you to run sync-cmd -h for help.To synchronize, use the

Synchronization 137Scheduling SynchronizationOnce you have successfully run a manual synchronization, you can set up automatic synchronization. Use

138 Release 4.0.2 To schedule a task1. In Control Panel, open Scheduled Tasks. 2. Double-click Add Scheduled Task.3. Complete the Scheduled Task wiza

Synchronization 139MonitoringAfter you have set up scheduled synchronization, make a policy of regularly checking the status of your synchronization

14 Release 4.0.2 User AliasesNicknames Other email addresses also used by a given primary address. Each user can have multiple nicknames in Google Ap

140 Release 4.0.2

Chapter 8 Release 4.0.2 Troubleshooting 141Release 4.0.2 TroubleshootingChapter 8About TroubleshootingThis chapter covers information about how to tro

142 Release 4.0.2 What port numbers should be used in GADS when connecting to Global Catalog server?By default, GADS connects to an LDAP server with t

Release 4.0.2 Troubleshooting 143A group rule or exclusion rule doesn’t seem to be doing anything.Check the scope of the rule. You may need to set th

144 Release 4.0.2 The proxy environment requires a password challenge for external web access.GADS can use a proxy server but cannot respond to passwo

Release 4.0.2 Troubleshooting 145System TestsIf you encounter problems, use the tests in Configuration Manager to find the problem:1. In Configuratio

146 Release 4.0.2

Overview of Google Apps Directory Sync 15Directory Sync and DeploymentGADS can be used during different stages of the Google Apps deployment cycle.

16 Release 4.0.2 If you have already added users through another method, and begin using GADS afterwards, you may move directly to Global Go Live and

Overview of Google Apps Directory Sync 17Users: A small number of manually added users.In the Core IT phase, a small number of IT users activate in

18 Release 4.0.2 Global Go LiveUsers: All users active in Google Apps.In the Global Go Live phase, all users become active and begin using Google App

Overview of Google Apps Directory Sync 19If you remove any users from your company, update Google Apps to reflect these changes. Many companies remo

2 Release 4.0.2 Google, Inc.1600 Amphitheatre ParkwayMountain View, CA 94043www.google.comPart number: GADS_4.0.2November 5, 2014© Copyright 2014 Goo

20 Release 4.0.2 Server Requirements• A server to run GADS. The server should run one of the following operating systems:• Microsoft Windows (support

Overview of Google Apps Directory Sync 21Depending on your configuration, you may need the following levels of expertise for implementing GADS:• Goo

22 Release 4.0.2

Chapter 3 Getting Started 23Getting StartedChapter 3OverviewThis chapter discusses the steps you’ll take when you get started with Google Apps Directo

24 Release 4.0.2 5. Prepare your server environment for synchronization. Confirm that you have a notification mail server ready. For more information,

Getting Started 25JXplorerTo download the JXplorer Java Ldap Browser, go to:http://www.jxplorer.orgStep Two: Collect LDAP InventoryYou can deploy GAD

26 Release 4.0.2 Research LDAP StructureUse an LDAP browser to collect information about your LDAP server and structure.You may find, while preparing

Getting Started 27When conducting LDAP cleanup, consider the following actions.• Identify users. Identify which users you want to synchronize with Go

28 Release 4.0.2 There are three ways to mark your Google Apps users in LDAP:• OU: Set up an organizational unit (OU) and move Google Apps users into

Getting Started 29Note: GADS does not create a domain for you, so you will need to add the domain before you use Directory Sync.Collect the exact dom

3This product includes software developed byThe Apache Software Foundation (http://www.apache.org/).Portions of Derby were originally developed by I

30 Release 4.0.2 queries, see “About LDAP Queries” on page 41.WARNING: Check to be sure that you are importing the correct number of users. If you imp

Getting Started 31• Mailing Lists: Decide which mailing lists you want to synchronize from your LDAP directory server into Google Apps. Mailing lists

32 Release 4.0.2 Autocomplete addresses.Important: Shared Contacts do not show up immediately. After you synchronize Shared Contacts, it may take up t

Getting Started 33passwords.Because this password may be guessed by other users, this is not generally recommended as a secure option.Important: Be c

34 Release 4.0.2 For more information about deployment phases and the 3-phase deployment model, see “Directory Sync and Deployment” on page 15.Core IT

Getting Started 35UsersSet up exceptions for manually-added Core IT users, temporary administrators, or other users that are not part of your LDAP se

36 Release 4.0.2 Suspended UsersYou can synchronize Google Apps users as suspended users for testing Google Apps functionality.Suspended users can be

Getting Started 37Sample ScenarioThe Google Apps administrator for MobiStep decides that the existing organization hierarchy on the LDAP server shoul

38 Release 4.0.2 The administrator decides that MobiStep needs to synchronize:•OUs•Users• Aliases• Groups (mailing lists)• Shared contacts• Calendar r

Getting Started 39Step Five: Prepare Your Servers for SynchronizationBe sure that your servers and network are prepared for GADS.Notifications Mail S

4 Release 4.0.2

40 Release 4.0.2

Chapter 4 LDAP Queries 41LDAP QueriesChapter 4About LDAP QueriesGADS uses the LDAP query language to collect data from your directory server. Before

42 Release 4.0.2 For examples of how these operators are used, see the common LDAP queries below.Common LDAP QueriesThe examples below show the most

LDAP Queries 43All user objects except for ones with primary email addresses that contain the word “test”(&(&(objectclass=user)(objectcatego

44 Release 4.0.2

Chapter 5 Installation 45InstallationChapter 5About InstallationGoogle Apps Directory Sync (GADS) is designed to run on Windows or Linux servers.The

46 Release 4.0.2 3. Download and run the installer.4. Complete all the steps of the installer.The installer contains all needed components and can be

Installation 47If you upgrade GADS and then open a configuration file that you created in a previous version, you need to save that configuration fi

48 Release 4.0.2

Chapter 6 Configuration 49ConfigurationChapter 6About ConfigurationConfiguration Manager is a step-by-step graphical user interface that walks you th

Contents 5ContentsAbout This Guide 9What This Guide Contains 9Related Documentation 9How to Send Comments About This Guide 10Chapter 2: Overview of

50 Release 4.0.2 GADS includes several ways to customize search rules and filters. When collecting information from your LDAP server, you can define

Configuration 51An LDAP query that would return too many results may time out. If this happens, do not create multiple configuration files to reduce

52 Release 4.0.2 General SettingsYou specify which categories of object to synchronize from your LDAP server on the General Settings page.Specify the

Configuration 53Google Apps ConfigurationBefore you begin setup in Google Apps Configuration, collect information about your Google Apps domain and

54 Release 4.0.2 Google Apps Connection SettingsEnter your Google Apps connection information in this section.Specify the following:Google Apps Setti

Configuration 55Replace domain names in LDAP email addresses (of users and groups) with this domain name.If checked, all LDAP email addresses are ch

56 Release 4.0.2 Authorizing using OAuthClick Authorize Now to set up your Authorization settings and create a verification code.Note: Customer who a

Configuration 57Google Apps Proxy SettingsProvide any necessary network proxy settings here. If your server does not require a proxy to connect to t

58 Release 4.0.2 Google Apps Exclusion RulesExclusion rules let you omit specific users, groups, org units, calendar resources, and other Google Apps

Configuration 59Exclusion rules are based on string values and regular expressions, not LDAP settings. You can exclude user profiles or shared conta

6 Release 4.0.2 Configuration Best Practices 51General Settings 52Google Apps Configuration 53Google Apps Connection Settings 54Google Apps Proxy Set

60 Release 4.0.2 For instance, if you add all your IT administrators to the organization path “administrators/IT” and your security administrators in

Configuration 61Custom Google Apps GroupsIf you have groups listed in Google Apps that don’t match a mailing list in your LDAP directory server, Dir

62 Release 4.0.2 In the Add Exclusion Rule panel, specify the following to add an exclusion rule. Keep in mind that this is information on your Googl

Configuration 63Match Type The type of rule to match for the filter.• Exact Match: The address or organization name must match the rule exactly.Exam

64 Release 4.0.2 LDAP ConfigurationThe LDAP Configuration section configures how Directory Sync connects to your LDAP directory server and generates

Configuration 65LDAP Connection SettingsSpecify your LDAP connection and authentication in this page.LDAP Connection Setting DescriptionServer Type

66 Release 4.0.2 Test ConnectionOnce you have configured LDAP Authentication settings, click Test Connection. Configuration Manager will connect to y

Configuration 67Org Unit MappingsThis shows a list of rules used when generating the LDAP org units.Specify how OUs on your LDAP server correspond t

68 Release 4.0.2 Examples of MappingListed below are samples of common mappings. Note that the exact text of these rules will vary based on your need

Configuration 69Add MappingTo add a new search rule, click Add Mapping.Specify the following:Mapping Setting Description(LDAP) DN The Distinguished

Contents 7Escalating Problems 145

70 Release 4.0.2 Org Unit Search RulesThis shows a list of rules used when generating the LDAP org units.By default, all org units that match these s

Configuration 71Add Org Unit Search RuleTo add a new search rule, click Add Search Rule and specify the fields in the dialog box. After specifying t

72 Release 4.0.2 Org Unit Exclusion RulesIf you have any org units on your LDAP directory server that match your search rules but should not be added

Configuration 73Some examples of reasons for LDAP org unit exclusion rules:• OUs for printers, conference rooms, and other non-user resources• Test

74 Release 4.0.2 Sample Substring Match: Defunct OUsSeveral organizational units are no longer in use because two nearby offices combined together. T

Configuration 75Rule: ou=internal-test[0-9]*,dc=ad,dc=example,dc=comAdd RuleClick Add Exclusion Rule to exclude an org unit in your LDAP server from

76 Release 4.0.2 User AccountsThe User Accounts section configures how Google Apps Directory Sync generates your LDAP user list for comparison. You m

Configuration 77User AttributesSpecify what attributes Google Apps Directory Sync will use when generating the LDAP user list.LDAP User Attribute Se

78 Release 4.0.2 Google Apps Users Deletion / Suspension PolicyOptions for deleting and suspending users.Available options:• Delete only active Googl

Configuration 79Additional User AttributesLDAP Extended Attributes are optional LDAP attributes that you can use to import additional information ab

8 Release 4.0.2

80 Release 4.0.2 Family Name Attribute(s) An LDAP attribute that contains each user’s family name. (In the English language, this is usually the last

Configuration 81Password Attribute An LDAP attribute that contains each user’s password. If you set this attribute, your users’ Google Apps password

82 Release 4.0.2 Password Encryption Method The encryption algorithm that the password attribute uses.• SHA1: Passwords in your LDAP directory server

Configuration 83Force new users to change passwordIf checked, new users must change passwords the first time they log in to Google Apps. This allows

84 Release 4.0.2 User Search RulesThis shows a list of rules used when generating the LDAP user list.By default, all users that match these search ru

Configuration 85Add Search RuleTo add a new search rule, click Add Search Rule and specify the fields in the dialog box. After specifying the fields

86 Release 4.0.2 Suspend these users in Google AppsSuspend all users that match this LDAP user sync rule.Directory Sync suspends users that already e

Configuration 87User Exclusion RulesIf you have any users on your LDAP directory server that match your search rules but should not be added to Goog

88 Release 4.0.2 Exclusion rules are based on string values and regular expressions, not LDAP settings. Note: To exclude individual users, add a sepa

Configuration 89Sample Substring Match: PrintersIn this example, printers are listed as LDAP users and would match the LDAP query given. However, th

9About This GuideWhat This Guide ContainsThe Google Apps Directory Sync Administration Guide provides information about:• Google Apps Directory Sync f

90 Release 4.0.2 Add Exclusion RuleClick Add Exclusion Rule to exclude a user or organization in your LDAP server from synchronization, and specify t

Configuration 91GroupsSet up synchronization for Google Groups for Work in the LDAP Groups page. Google Groups for Work are similar to LDAP mailing

92 Release 4.0.2 Group Search RulesGoogle Apps Directory Sync can synchronize Google Groups with your LDAP server’s mailing lists.This page shows the

Configuration 93Add Group Search Rule (LDAP)To synchronize one or more mailing lists as Google Groups, click Add Search Rule and specify the fields

94 Release 4.0.2 Specify the following:LDAP Group Rule SettingDescriptionScope Where to apply the mail list rule.Choose which option to user:• Sub-tr

Configuration 95Group Display Name AttributeAn LDAP attribute that contains the display name of the group. This will be used in the display to descr

96 Release 4.0.2 Member Literal Attribute(Either this field or Member Reference Attribute is required.)An attribute that contains the full email addr

Configuration 97Add Group Search Rule (Prefix-Suffix)You may need Directory Sync to add a prefix or suffix to the value your LDAP server provides fo

98 Release 4.0.2 Group Exclusion RulesYou can exclude particular mailing lists from being imported as groups.If you have any entries in your director

Configuration 99Exclusion rules are based on string values and regular expressions, not LDAP settings.This page shows the list of exclusion rules. I