GCDS - Google dir sync and UCS5

UCS - Univention Corporate Server
#1

Hi. Since G Suite connector was discontinued I decided to try Google’s directory sync:
https://tools.google.com/dlpage/dirsync

Process is simple, without much detail:

  1. install dirsync on your laptop, either Windows or Linux, also install dirsync on UCS5 server

  2. use config-manager to configure as you wish, you can login into your gmail (google workspace) and to create auth token
    This is part of my config:
    Server type OpenLDAP
    Standard LDAP
    port 7389
    Auth type Simple
    authorised user: uid=Administrator,cn=users,dc=subdomain,dc=example,dc=com
    Base DN dc=subdomain,dc=example,dc=com
    I am only syncing users, and this is my search filter:
    memberOf=cn=Domain Users,cn=groups
    type Sub-tree

Email addr attribute: mail, unique identifier uidNumber, then givenName and sn attributes for first name and last name.
3. save the config as XML file. you do not need to simulate/test in dirsync app at this stage. You must export the config and auth token. See steps below:
4. Save config as XML, and copy it to your UCS5 server
5. Export auth token and copy it to your UCS5 server
./upgrade-config -exportkeys filename.foo

All above steps were done on laptop, below steps are done on UCS5 server.

  1. Import auth token
    ./upgrade-config -importkeys filename.foo
    might need to use sudo

  2. Run below commands to test config
    sudo ./upgrade-config -testldap -c config.xml

However, the program does not find anything in LDAP.

[2022-06-27 16:02:32,451+0100] [main] [WARN] [usersyncapp.cli.UpgradeConfig] Upgrading configuration file "config.xml" to most recent version (will save a backup).
[2022-06-27 16:02:32,972+0100] [main] [INFO] [plugin.ldap.LdapQueryExecutorImpl] Executing LDAP query:
base dn: "dc=subdomain,dc=example,dc=com"
filter: "(mail=*)"
scope: "OBJECT"
context name: "default"
attributes: ""
[2022-06-27 16:02:32,994+0100] [main] [INFO] [plugin.ldap.LdapQueryExecutorImpl] Processed 0 results from LDAP search
LDAP Connection Successful

but if I run this command, I get results

root@ucs5:~# univention-ldapsearch -x "memberOf=cn=Domain Users,cn=groups,dc=subdomain,dc=example,dc=com" | grep ^mail | wc -l
13

What am I configuring wrong?

I have tried configuring search filter as objectClass=* which works with univention-ldapsearch command, but still no luck with dirsync.

#2

I still have no luck solving this. However made more troubleshooting. I enabled LDAP debug logs and captured some activity. Just to clarify, this below is a Google’s (GCDS) dirsync program written in Java, trying to get data from OpenLDAP:

[2022-06-27 16:02:32,451+0100] [main] [WARN] [usersyncapp.cli.UpgradeConfig] Upgrading configuration file "config.xml" to most recent version (will save a backup).
[2022-06-27 16:02:32,972+0100] [main] [INFO] [plugin.ldap.LdapQueryExecutorImpl] Executing LDAP query:
base dn: "dc=subdomain,dc=example,dc=com"
filter: "(mail=*)"
scope: "OBJECT"
context name: "default"
attributes: ""
[2022-06-27 16:02:32,994+0100] [main] [INFO] [plugin.ldap.LdapQueryExecutorImpl] Processed 0 results from LDAP search
LDAP Connection Successful

This is part of ldap debug mode log from syslog:

Jul  1 09:18:46 ucs5 slapd[30444]: => acl_mask: access to entry "dc=domain,dc=example,dc=com", attr "entry" requested
Jul  1 09:18:46 ucs5 slapd[30444]: => acl_mask: to all values by "uid=administrator,cn=users,dc=domain,dc=example,dc=com", (=0)
Jul  1 09:18:46 ucs5 slapd[30444]: <= check a_sockname_path: PATH=/var/run/slapd/ldapi
Jul  1 09:18:46 ucs5 slapd[30444]: <= check a_dn_pat: uid=administrator,cn=users,dc=domain,dc=example,dc=com
Jul  1 09:18:46 ucs5 slapd[30444]: <= acl_mask: [2] applying write(=wrscxd) (stop)
Jul  1 09:18:46 ucs5 slapd[30444]: <= acl_mask: [2] mask: write(=wrscxd)
Jul  1 09:18:46 ucs5 slapd[30444]: => slap_access_allowed: search access granted by write(=wrscxd)
Jul  1 09:18:46 ucs5 slapd[30444]: => access_allowed: search access granted by write(=wrscxd)
Jul  1 09:18:46 ucs5 slapd[30444]: => access_allowed: search access to "dc=domain,dc=example,dc=com" "mail" requested
Jul  1 09:18:46 ucs5 slapd[30444]: => dn: [3] cn=admin,dc=domain,dc=example,dc=com
Jul  1 09:18:46 ucs5 slapd[30444]: => acl_get: [4] attr mail
Jul  1 09:18:46 ucs5 slapd[30444]: => acl_mask: access to entry "dc=domain,dc=example,dc=com", attr "mail" requested
Jul  1 09:18:46 ucs5 slapd[30444]: => acl_mask: to all values by "uid=administrator,cn=users,dc=domain,dc=example,dc=com", (=0)
Jul  1 09:18:46 ucs5 slapd[30444]: <= check a_sockname_path: PATH=/var/run/slapd/ldapi
Jul  1 09:18:46 ucs5 slapd[30444]: <= check a_dn_pat: uid=administrator,cn=users,dc=domain,dc=example,dc=com
Jul  1 09:18:46 ucs5 slapd[30444]: <= acl_mask: [2] applying write(=wrscxd) (stop)
Jul  1 09:18:46 ucs5 slapd[30444]: <= acl_mask: [2] mask: write(=wrscxd)
Jul  1 09:18:46 ucs5 slapd[30444]: => slap_access_allowed: search access granted by write(=wrscxd)
Jul  1 09:18:46 ucs5 slapd[30444]: => access_allowed: search access granted by write(=wrscxd)
Jul  1 09:18:46 ucs5 slapd[30444]: daemon: activity on 1 descriptor

There is nothing in logs mentioning memberOf=cn=Domain Users,cn=groups or Domain Users at all.

What I think is happening is this: before “dirsync” program will want to filter out users using this search memberOf=cn=Domain Users,cn=groups, it must first obtain data from LDAP using this search:

base dn: "dc=subdomain,dc=example,dc=com"
filter: "(mail=*)"
scope: "OBJECT"
context name: "default"
attributes: ""

Basically, search “dc=subdomain,dc=example,dc=com” with attributes “mail”. But this search returns 0 results.

root@ucs5:/opt/GoogleCloudDirSync# ldapsearch -x "dc=domain,dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base <dc=domain,dc=example,dc=com> (default) with scope subtree
# filter: dc=domain,dc=example,dc=com
# requesting: ALL
#

# search result
search: 2
result: 50 Insufficient access

# numResponses: 1

root@ucs5:/opt/GoogleCloudDirSync# ldapsearch -x "dc=domain,dc=example,dc=com" | grep mail | wc -l
0

What am I doing wrong, how to fix this? Please advise. LDAP is not my cup of tea.

#3

Ok I think I should try different command. I tried below and get some results

# ldapsearch -x -b "dc=domain,dc=example,dc=com" -D uid=local.admin,cn=users,dc=domain,dc=example,dc=com -W mail

...
< a lot of output >
...

# search result
search: 2
result: 0 Success

# numResponses: 351
# numEntries: 350
#4

Could it be because ldapsearch does not understand “memberOf” in
"memberOf=cn=Domain Users,cn=users,dc=domain,dc=example,dc=com"?

How else can I filter users by specific group?

Mastodon