If you want to synchronise your users and groups with UCS to a Google Workspace domain, you cannot avoid doing this with the Google Cloud Directory Sync (GCDS).
Here is a short how to on how to set this up.
This guide assumes the following environment
- Workstation (GUI)
- UCS Server (CLI)
- LDAP is publicly accessible via port
636
- LDAP is publicly accessible via port
- Google Workspace Domain
- UCS Keycloak as identity provider in Google
Setup
The official documentation describes step by step how to install and configure GCDS, which is a Java-based tool. It is recommended to use a system with a GUI for the initial configuration. GCDS can then be executed on a server to regularly sync the data between the LDAP server and Google Workspace based on the generated config.
If GCDS throws an LDAP SSL error, the following two lines must be added to sync-cmd.vmoptions and config-manager.vmoptions
-Dcom.sun.net.ssl.checkRevocation=false
-Dcom.sun.security.enableCRLDP=false
Installation
GUI (your workstation)
Download and run the script from the Google download page:
$ bash dirsync-linux64.sh
Follow the installation steps
CLI (UCS Server)
- Copy the script to the server and execute it
- Press
Enter
: - Read the the License Agreement and continue with
Enter
- Accept the agreement with
1
: - The default installation folder is fine
- Deactivate symlinks by pressing
n
:
Configuration
Start the GCDS configurator with $ ./config-manager
Domain Settings
- Set the domain (
domain.tld
) and click onAuthorize Now
LDAP Connection
- Create a
simple auth user
on UCS - Server Type:
OpenLDAP
- Connection Type:
LDAP+SSL
- Host Name:
server.domain.tld
- Port:
636
- Authentication Type:
Simple
- Authorized User:
uid=simple.ldap.auth,cn=users,dc=domain,dc=tld
- Password:
XYZ
- Base DN:
dc=domain,dc=tld
- Click
Test connection
General Settings
- We want
User Accounts
, andGroups
to be in sync
User Account Sync
- User Attributes should be defined as follows:
- Email Address Attribute: mailPrimaryAddress
- Unique identifier Attribute: uid
- Alias Address Attribute: mailAlternativeAddress
- Check: Don’t suspend or delete Google users not found in LDAP
- If everything works, you can set this to auto suspend
- Check: Don’t suspend or delete Google domain super admins not found in LDAP
- Switch to: Additional User Attributes
- Configure as follows:
- Given Name Attribute:
givenName
- Family Name Attribute:
sn
- Display Name Attribute:
displayName
- User Password Sync
- Check:
Only for new users
- Password Attribute:
fakeUserPassword
← this attribute does not exist and causes the sync to always generate one - Password Encryption:
SHA1
- Generated password length:
20
- Switch to: Search Rules
- Rule:
(!(shadowExpire=1))
← define further rules to sync only the users you need
Groups Sync
- Check: Sync managers based on LDAP server
- Create a sync rule as follows:
- Rule:
(&(mailPrimaryAddress=*)(objectClass=posixGroup))
- Group Email Address Attribute:
mailPrimaryAddress
← This has the advantage that only groups that have a mail address set are synchronised - Group Display Name Attribute:
cn
- Group Description Attribute:
description
- User Email Address Attribute:
mailPrimaryAddress
- Member Reference Attribute:
uniqueMember
- Press
Test LDAP Query
to check if it works
Notifications
Configure an SMTP relay here
Test sync, run sync
You can now run the sync on the sync page. In any case, first click on Simulate sync
.
If everything looks good, run the sync productively.^
If this also runs smoothly, save your config with File > save as
(in this case: gcds_config.xml
).
Then, copy the config to your UCS
Copy config to UCS
On GUI:
- Run
./upgrade-config -exportkeys gcds_keys
- Copy the files to the destination server:
scp gcds_keys gcds_config.xml <USER>@<IP_UCS>:/home/<USER>/
- Connect to the UCS server:
ssh <USER>@<IP_UCS>
- Move the config file to the target directory:
sudo mv /home/<USER>/gcds_* /opt/GoogleCloudDirSync/
- Finally import the keys:
cd /opt/GoogleCloudDirSync/; sudo ./upgrade-config -importkeys gcds_keys
Run on UCS
cd /opt/GoogleCloudDirSync/
- Test run →
sudo ./sync-cmd -c gcds_config.xml
- Prod run →
sudo ./sync-cmd -a -c gcds_config.xml
Automatic sync
Now, of course, it makes sense to trigger the sync automatically, e.g. when a user is created or a group is changed.
UCS has given us the Univention listener for this purpose
With the HowTo’s from UCS you can now create a listener which triggers the GCDS when a new user is created or a change is made to a user and syncs the changes to Google.
The function in the listener can then look like this, for example
def sync_google():
os.system("bash /opt/GoogleCloudDirSync/sync-cmd -c /opt/GoogleCloudDirSync/gcds_config.xml -a")