Google Cloud Directory Sync (GCDS) - How To

If you want to synchronise your users and groups with UCS to a Google Workspace domain, you cannot avoid doing this with the Google Cloud Directory Sync (GCDS).
Here is a short how to on how to set this up.

This guide assumes the following environment

  • Workstation (GUI)
  • UCS Server (CLI)
    • LDAP is publicly accessible via port 636
  • Google Workspace Domain
  • UCS Keycloak as identity provider in Google

Setup

The official documentation describes step by step how to install and configure GCDS, which is a Java-based tool. It is recommended to use a system with a GUI for the initial configuration. GCDS can then be executed on a server to regularly sync the data between the LDAP server and Google Workspace based on the generated config.

If GCDS throws an LDAP SSL error, the following two lines must be added to sync-cmd.vmoptions and config-manager.vmoptions

    -Dcom.sun.net.ssl.checkRevocation=false
    -Dcom.sun.security.enableCRLDP=false

Installation

GUI (your workstation)

Download and run the script from the Google download page:

$ bash dirsync-linux64.sh

Follow the installation steps

CLI (UCS Server)

  • Copy the script to the server and execute it
  • Press Enter:
  • Read the the License Agreement and continue with Enter
  • Accept the agreement with 1:
  • The default installation folder is fine
  • Deactivate symlinks by pressing n:

Configuration

Start the GCDS configurator with $ ./config-manager

Domain Settings

  • Set the domain (domain.tld) and click on Authorize Now

LDAP Connection

  • Create a simple auth user on UCS
  • Server Type: OpenLDAP
  • Connection Type: LDAP+SSL
  • Host Name: server.domain.tld
  • Port: 636
  • Authentication Type: Simple
  • Authorized User: uid=simple.ldap.auth,cn=users,dc=domain,dc=tld
  • Password: XYZ
  • Base DN: dc=domain,dc=tld
  • Click Test connection

General Settings

  • We want User Accounts, and Groups to be in sync

User Account Sync

  • User Attributes should be defined as follows:
    • Email Address Attribute: mailPrimaryAddress
    • Unique identifier Attribute: uid
    • Alias Address Attribute: mailAlternativeAddress
  • Check: Don’t suspend or delete Google users not found in LDAP
    • If everything works, you can set this to auto suspend
  • Check: Don’t suspend or delete Google domain super admins not found in LDAP
  • Switch to: Additional User Attributes
  • Configure as follows:
  • Given Name Attribute: givenName
  • Family Name Attribute: sn
  • Display Name Attribute: displayName
  • User Password Sync
  • Check: Only for new users
  • Password Attribute: fakeUserPasswordthis attribute does not exist and causes the sync to always generate one
  • Password Encryption: SHA1
  • Generated password length: 20
  • Switch to: Search Rules
  • Rule: (!(shadowExpire=1))define further rules to sync only the users you need

Groups Sync

  • Check: Sync managers based on LDAP server
  • Create a sync rule as follows:
  • Rule: (&(mailPrimaryAddress=*)(objectClass=posixGroup))
  • Group Email Address Attribute: mailPrimaryAddressThis has the advantage that only groups that have a mail address set are synchronised
  • Group Display Name Attribute: cn
  • Group Description Attribute: description
  • User Email Address Attribute: mailPrimaryAddress
  • Member Reference Attribute: uniqueMember
  • Press Test LDAP Query to check if it works

Notifications

Configure an SMTP relay here

Test sync, run sync

You can now run the sync on the sync page. In any case, first click on Simulate sync.

If everything looks good, run the sync productively.^
If this also runs smoothly, save your config with File > save as (in this case: gcds_config.xml).
Then, copy the config to your UCS


Copy config to UCS

On GUI:

  • Run ./upgrade-config -exportkeys gcds_keys
  • Copy the files to the destination server: scp gcds_keys gcds_config.xml <USER>@<IP_UCS>:/home/<USER>/
  • Connect to the UCS server: ssh <USER>@<IP_UCS>
  • Move the config file to the target directory: sudo mv /home/<USER>/gcds_* /opt/GoogleCloudDirSync/
  • Finally import the keys: cd /opt/GoogleCloudDirSync/; sudo ./upgrade-config -importkeys gcds_keys

Run on UCS

  • cd /opt/GoogleCloudDirSync/
  • Test run → sudo ./sync-cmd -c gcds_config.xml
  • Prod run → sudo ./sync-cmd -a -c gcds_config.xml

Automatic sync

Now, of course, it makes sense to trigger the sync automatically, e.g. when a user is created or a group is changed.

UCS has given us the Univention listener for this purpose

With the HowTo’s from UCS you can now create a listener which triggers the GCDS when a new user is created or a change is made to a user and syncs the changes to Google.

The function in the listener can then look like this, for example

def sync_google():
     os.system("bash /opt/GoogleCloudDirSync/sync-cmd -c /opt/GoogleCloudDirSync/gcds_config.xml -a")
Mastodon