Use the Google Cloud Directory Sync (GCDS) Configuration Manager to create and test a configuration file for a synchronization. The information below gives you more detail on the fields in Configuration Manager.
You open Configuration Manager from the Startmenu.
Connect, notify, & log
Expand section | Collapse all & go to top
Specify your LDAP connection and authentication information on the LDAP Configurationpage. After you enter the information, click Test connection. If the connection fails, see:
If your LDAP server supports SSL or you're using Microsoft Active Directory on a Windows server with LDAP signing enabled, choose LDAP+SSL and enter the correct port number (below). Otherwise, choose Standard LDAP.
Examples: ad.example.com or 10.22.1.1.
Specify the host port. Commonly-used options:
- For Standard LDAP, use 389.
- For LDAP over SSL, use 636.
Note: If you’re using Active Directory, you can use 3268 (Global Catalog) or 3269 (Global Catalog over SSL).
Example: 389
If your LDAP server allows anonymous connections and you want to connect anonymously, select Anonymous. Otherwise, select Simple.
If your LDAP directory server requires a domain for login, include the domain for the user as well.
Example: admin1
Example: swordfishX23
Enter the Base DN for the subtree to synchronize. Don't include spaces between commas. If you don’t know the Base DN, consult your LDAP administrator or check an LDAP browser.
If you leave this field empty, all domains in the forest are searched.
Example: ou=test,ou=sales,ou=melbourne,dc=ad,dc=example,dc=com
Following a synchronization, GCDS sends an email to specified users that can be used to verify the sync and troubleshoot any issues. On the Notificationspage, you can specify who is notified and your mail server settings.
The SMTP mail server to use for notifications. GCDS uses this mail server as a relay host.
Example:
- 127.0.0.1
- smtp.gmail.com
Check the box to use SMTP with TLS (required with smtp.gmail.com).
Supported TLS versions—1.0, 1.1, and 1.2 (supported from GCDS version 4.7.6 onwards).
Password
Example:
User Name: admin@solarmora.comPassword: ud6rTYX2!
Example: admin@solarmora.com
Notifications are sent to all addresses on this list. To enter multiple addresses, click Addafter each email address.
Depending on your mail server settings, GCDS might be unable to send mail to external email addresses. Click Test Notificationto confirm that mail is sent correctly.
Example: dirsync-admins@solarmora.com
Limit the information sent in notification emails. You can choose to exclude:
- Extra details–For example, a list of excluded objects.
- Warnings–Warning messages.
- Errors–Error messages.
Example: Set up notifications for users in your Google Account
- For SMTP Relay Host, enter smtp.gmail.com.
- Check the Use SMTP with TLSbox.
- For User Name, enter your Google Account email address.
- For Password, enter your password.
- If you use 2-Step Verification, you need to create an App Password. For details, see Sign in using App Passwords .
- For From address, enter the address that you want as the sender for the notification emails.
- For To addresses, enter the email addresses of users who should receive GCDS reports. To enter multiple addresses, click Addafter each email address.
- (Optional) If the SMTP connection is broken, use a packet capture tool, such as Wireshark, to identify the root cause of the issue.
Specify the settings for logging on the Loggingpage.
Example: sync.log
Optionally, you can add the placeholder #{timestamp}to the file name. The placeholder is replaced by an actual timestamp (for example, 20190501-104023) in each execution before the log file is saved to the disk.
If you use the placeholder, GCDS generates a new log file every time it runs a simulation or sync. If a log is older than 30 days, it's deleted.
Example: sync.#{timestamp}.log
If you run a sync at 2019-05-01 at 10:40:23am, the log file is named sync.20190501-104023.log.
- FATAL—Only logs fatal operations.
- ERROR—Logs errors and fatal operations.
- WARN—Logs warnings, errors and fatal operations.
- INFO—Logs summary information.
- DEBUG— Logs more extensive details.
- TRACE—Logs all possible details.
The level of detail is cumulative; each level includes all the details of previous levels (for example, ERROR includes all ERROR and FATAL messages).
The maximum size of the log file, in megabytes.
The maximum log size includes all the backup files plus the current file. The number of back up files is determined by the log file count attribute (see below).
To calculate the maximum size of a log file use < maximum log size > / (< log file count > + 1)
Example: 500
The number of log files that are saved to the disk. The default is 10.
Note: This setting can only be modified in the configuration file within the tag <logFileCount>.
Users
Expand section | Collapse all & go to top
Specify what attributes GCDS uses when generating the LDAP user list on the User accountspage.
Example: mail
Enable invalid characters replacement
Invalid character replacement
If you check the box, spaces and invalid characters in an email address are replaced with the string specified in the Invalid character replacementfield.
If you check the box but leave the field blank, GCDS removes spaces and invalid characters from the address.
Example
The email address on the LDAP server isx y\z@example.com.
- If you add an underscore (_) to the Invalid characters replacementfield, GCDS converts the email address to x_y_z@example.com.
- If the Invalid characters replacement field is left blank, GCDS converts the email address to xyz@example.com.
Example: objectGUID
Example: proxyAddresses
If this field is empty, any alias associated with the Google user profile isn't removed following a GCDS sync. The alias can still be managed in Google.
- Delete only active Google Domain users not found in LDAP (suspended users are retained)—Active users in your Google domain are deleted if they aren't in your LDAP server. Suspended users are not altered. This is the default setting.
- Delete active and suspended users not found in LDAP—All users in your Google domain are deleted if they aren't in your LDAP server, including suspended users.
- Suspend Google users not found in LDAP, instead of deleting them—Active users in your Google domain are suspended if they are not in your LDAP server. Suspended users are not altered.
- Don’t suspend or delete Google domain users not found in LDAP—No users in your Google domain are suspended or deleted (unless you have a search rule that’s set to suspend users).
This field allows you to specify an LDAP attribute that serves as a unique identifier for user entities on your LDAP server. When you provide this attribute, GCDS can monitor changes to user email addresses on your LDAP server. This ensures that when a user email is updated, GCDS can synchronize the changes with your Google domain without deleting the existing user and creating a new one with the updated email address.
If you set this field, GCDS automatically creates a new mapping file with the following name in the home directory: nonAddressKeyMappingsFilePath.tsv
To change the name or location of this file, update the following tag in the XML configuration file: <nonAddressKeyMappingsFilePath>
This field is optional; however, using it is recommended.
Example: objectGUID
Additional user attributes are optional LDAP attributes that you can use to import additional information about your Google users, including passwords. Enter your additional user attributes on the User accountspage.
You can also use multiple attributes for the given name. If you use multiple attributes, place each attribute field name in square brackets.
Examples: givenName,[cn]-[ou]
Examples: surname, [cn]-[ou]
An LDAP attribute that contains each user's display name.
Example: displayName
- Only for new users—When GCDS creates a new user, it synchronizes that user's password. Existing passwords are not synced. Use this option if you want your users to manage their passwords in your Google domain. Note: If you are using a temporary or onetime password for new users, use this option.
- For new and existing users—GCDS always synchronizes all user passwords. Existing passwords in your Google domain are overwritten. This option is appropriate for managing user passwords on your LDAP server, but it is less efficient than the Only changed passwordsoption.
- Only changed passwords—GCDS only synchronizes passwords that changed since your previous sync. We recommend this option if you want to manage user passwords on your LDAP server. Note: If you use this option, you must also provide a value for the Password timestamp attribute.
Example: CustomPassword1
Example: PasswordChangedTime
- SHA1–Passwords in your LDAP directory server hashed using unsalted SHA1.
- MD5–Passwords in your LDAP directory server hashed using unsalted MD5.
- Base64–Passwords in your LDAP directory server use Base64 encoding.
- Plaintext–Passwords in your LDAP directory server are not encrypted. GCDS reads the password attribute as unencrypted text, then immediately encrypts the password using SHA1 encryption and synchronizes with your Google domain.
Note: GCDS never saves, logs, or transmits passwords unencrypted. If passwords in your LDAP directory are Base64-encoded or plaintext, GCDS immediately encrypts them with SHA1 encryption and synchronizes them with your Google domain. Simulate sync and full sync logs show the password as a SHA1 password.
Use this field only if you also specify a Password Attribute. If you leave the Password Attributefield blank, when you save and reload, the configuration resets to the default of SHA1. Note that some password encoding formats aren't supported. Check your LDAP directory server with a directory browser to find or change your password encryption.
By default, Active Directory and HCL Domino directory servers don't store passwords in any of these formats. Consider setting a default password for new users and requiring users to change passwords on first login.
If checked, new users must change passwords the first time they sign in to their Google account. Doing so allows you to set an initial password, either from an LDAP attribute or by specifying a default password for new users that the user must change the first time they sign in.
Use this option if you set an attribute in one of these fields:
- In the Password Attributefield, but it's only a temporary or one-time password
- In the Default password for new usersfield
Note: If your users don't manage their Google password, for example, if you're using Password Sync or single sign-on (SSO), we recommend that you don't turn on this setting.
Important: If you enter a default password here, be sure to check the Force new users to change passwordbox so that users don't retain the default password.
Example: swordfishX2!
Add a User search rule on the Search ruletab of the User Accountspage. For detailed information about search rules, see Use LDAP queries to collect data for a sync .
Specify which Google organizational unit should contain users that match this rule. If the organizational unit specified doesn't exist, GCDS adds the users to the root level organizational unit in your Google domain.
This option only appears if you have enabled Organizational Unitson the General Settingspage.
Options include:
- Org Unit based on Org Units Mappings and DN—Add users to the unit that maps to the user’s DN on your LDAP server. This is based on your Org Mappings and shows in the LDAP User Sync list as [ derived].
- Org Unit Name—Add all users that match this rule to the same Google organizational unit. Specify the organizational unit in the text field.
Example: Users
- Org Unit name defined by this LDAP attribute—Add each user to the organizational unit with the name specified in an attribute on your LDAP directory server. Enter the attribute in the text field.
Example: extensionAttribute11
Suspend all users that match this LDAP user sync rule.
Notes:
- GCDS suspends or deletes users that already exist in your Google domain based on the GCDS User Account Deletion/Suspending policy setting.
- Users in your domain that you have suspended are reenabled by GCDS if they match a search rule that doesn't have suspend usersenabled.
- This feature is commonly used to stage user accounts in the domain. The new users are created in a suspended state. If you are importing active users with this rule, leave this unchecked.
Rule
Base DN
Specify what attributes GCDS uses when generating the LDAP user profiles on the User Profilespage.
LDAP attribute that contains the ID of the building where the user works. This can also be set to "Working remotely" if the user doesn't have a primary office building.
Admins can also let users set their own locations. For details, see Let users change their photo and profile information .
LDAP attribute that contains user’s additional email addresses. You can enter more than one value into this field.
Note:This field only supports the synchronization of addresses using the Workemail type.
LDAP attribute that contains the user’s website URLs. You can enter more than one value into this field.
Valid URLs are checked against the following regular expression:
^((((https?|ftps?|gopher|telnet|nntp)://)|(mailto:|news:))(%[0-9A-Fa-f]{2}|[-()_.!~*';/?:@&=+$,A-Za-z0-9])+)([).!';/?:,][[:blank:]])?$]]>
Invalid URLs are skipped.
LDAP attribute that contains the user’s recovery phone. The phone number must be in the E.164 international standard, starting with the plus sign (+).
The attribute can be set as an expression by using square brackets. This allows you to include additional characters.
Examples:
- +[ ldap-attribute ]—Prepends a plus sign to the value of the attribute.
- +41[ ldap-attribute ]—Prepends a plus sign and country code to the value of the attribute.
Specifies what user account attributes that you can edit using the directory API.
Note:After a successful sync the POSIX attribute won't be displayed on the Admin console under user information.
| Posix user account attributes | Description |
|---|---|
| username | The user's primary email address, alias email address, or unique user ID. |
| uid | The user ID on the instance for this user. This property must be a value between 1001 - 60000, or a value between 65535 - 2147483647. To access a container-optimized OS, the UID must have a value between 65536 - 214748646. The UID must be unique within your organization. |
| gid | The group ID on the instance that this user belongs to. |
| homeDirectory | The home directory on the instance for this user: /home/example_username. |
Organizational units
Expand section | Collapse all & go to top
Specify how organizational units on your LDAP server correspond to organizational units in your Google domain on the Org unitspage.
If you add mappings for top-level organizational units, GCDS automatically maps suborganizations on your LDAP directory server to Google organizational units with the same name. Add specific rules to override suborganization mappings.
Easiest way to map your LDAP organizational unit—Create a mapping from your root LDAP organizational unit (usually, your Base DN) to "/" (the root organization in the Google domain). GCDS maps users to suborganizations on your Google domain using the same organizational unit structure in your LDAP server. Note that you still need to create search rules to ensure that GCDS creates the suborganizations in the Google domain.
To add a new search rule, click Add Mapping.
| Mapping setting | Description |
|---|---|
| (LDAP) Distinguished Name (DN) | The DN on your LDAP directory server to map. Example: ou=melbourne,dc=ad,dc=example,dc=com |
| (Google domain) Name | The name of the org unit in your Google domain to map. To add users to the default organization in your Google domain, enter a single forward slash (/). Example: Melbourne |
Example: Mapping multiple locations
An LDAP directory server has an organizational hierarchy split between two office locations: Melbourne and Detroit. Your Google domain org unit hierarchy will match the same hierarchy.
- First Rule:
- (LDAP) DN: ou=melbourne,dc=ad,dc=example,dc=com
- (Google domain) Name: Melbourne
- Second Rule:
- (LDAP) DN: ou=detroit,dc=ad,dc=example,dc=com
- (Google domain) Name: Detroit
Example:Mapping LDAP org unit to Google Root org unit
- (LDAP) DN: ou=corp,dc=ad,dc=example,dc=com
- (Google domain) Name: /
Example: Mapping LDAP org unit to a first-level Google org unit
- (LDAP) DN: ou=detroit,ou=corp,dc=ad,dc=example,dc=com
- (Google domain) Name: Detroit
Example:Mapping LDAP org unit to a Google second-level org unit
- (LDAP) DN: ou=detroit staff,ou=detroit,ou=corp,dc=ad,dc=example,dc=com
- (Google domain) Name: Detroit/Detroit Staff
Specify your LDAP organizational unit search rules on the Org unitspage.
| LDAP org unit search rule setting | Description |
|---|---|
| (Optional) Org Unit description attribute | An LDAP attribute that contains the description of each organizational unit. If left blank, the organizational unit won't contain a description when created. Example: description |
| Scope Rule Base DN |
For details on these fields, see Use LDAP queries to collect data for a sync |
Specify how to manage your Google organizational units on the LDAP Org Units Mappingstab of the Org unitspage.
| Organizational unit setting | Description |
|---|---|
| Don’t delete Google Organizations not found in LDAP | If checked, Google organizational units are retained during a sync, even when the organizational units aren't in your LDAP server. |
| Don't create or delete Google Organizations, but move users between existing Organizations | If checked, Google organizational units aren’t synced with your LDAP server, but users can be added to existing Google organizational units as specified in your user search rules . If unchecked, GCDS adds and deletes organizational units in your Google domain to match the organization structure in your LDAP server, according to the mappings you specify. |
Groups
Expand section | Collapse all & go to top
To synchronize one or more mailing lists as groups in Google Groups, click Add Search Ruleon the Groupspage and specify the fields in the dialog box.
| LDAP group attribute setting | Description |
|---|---|
| Scope Rule Base DN |
For details on these fields, see Use LDAP queries to collect data for a sync |
| Group email address attribute | An LDAP attribute that contains the email address of the group. This will become the group email address in your Google domain. Example: mail |
| Group display name attribute | An LDAP attribute that contains the display name of the group. This will be used in the display to describe the group, and does not need to be a valid email address. |
| (Optional) Group description attribute | An LDAP attribute that contains the full-text description of the group. This will become the group description in your Google domain. Example: extendedAttribute6 |
| User email address attribute | An LDAP attribute that contains users’ email addresses. This is used to retrieve the email addresses of group members and owners given their DN Example: mail |
| Group object class attribute | The LDAP object class value that represents your groups. It’s used to separate members who are users from members who are groups (also known as "nested groups"). Example: group |
| Dynamic (Query-based) group | If checked, all mailing lists matching this search rule are treated as dynamic (query-based) groups, and the value of the Member Reference Attribute is treated as the query that specifies the membership of the group. Check this box if your search rule is for Exchange dynamic distribution groups. Note: If you manually enable DYNAMIC_GROUPS in your XML config file but leave out INDEPENDENT_GROUP_SYNC, make sure your dynamic group search rule is the first group search rule. See Troubleshoot common GCDS issues for details. |
| Member reference attribute (Either this field or Member Literal attribute is required.) |
If Dynamic (Query-based) groupisn't checked, this field should reference an LDAP attribute that contains the DN of mailing list members in your LDAP directory server. GCDS looks up the email addresses of these members and adds each member to the group in your Google domain. If Dynamic (Query-based) groupis checked, this should reference an LDAP attribute that contains the filter that GCDS uses to determine group membership. Example(non-dynamic): memberUID Example(dynamic): msExchDynamicDLFilter |
| Member literal attribute (Either this field or Member reference attribute is required.) |
An attribute that contains the full email address of mailing list members in your LDAP directory server. GCDS adds each member to the group in your Google domain. Example: memberaddress |
| Dynamic group Base DN attribute | If Dynamic (Query-based) groupis checked, this field needs to contain an LDAP attribute that has the base DN from which the query specified in Member Reference Attributeis applied. Dynamic groups in Exchange and GCDS work by noting membership as a LDAP query. The Member reference attributecontains the LDAP query and Dynamic group Base DN attributepoints to the base DN where the query will be executed. Example: Attributes and values of a dynamic group in LDAP dn: CN=MyDynamicGroup,OU=Groups,DC=altostrat,DC=com Note that the attribute usually used to list group members ("member") is blank, and instead there's an LDAP query that will find bob.smith and jane.doe, looking in the "Users" organizational unit. |
| (Optional) Owner reference attribute | An attribute that contains the DN of each group’s owner. GCDS looks up the email addresses of each mailing list’s owner and adds that address as the group owner in your Google domain. Example: ownerUID |
| (Optional) Owner literal attribute | An attribute that contains the full email address of each group’s owner. GCDS adds that address as the group owner in the Google domain. Example: owner |
| (Optional) Alias address attributes | One or more attributes that contain alias addresses. The addresses are added in Google Groups as aliases of the group's primary email address. If the field is empty, no aliases associated with the group are removed. You can also manage aliases in your organization's Google account. Example: proxyAddresses |
| (Optional) Group unique identifier attribute | This field allows you to specify an LDAP attribute that serves as a unique identifier for group entities on your LDAP server. When you provide this attribute, GCDS can monitor changes to group email addresses on your LDAP server. This ensures that when a group is updated, GCDS can synchronize the changes with your Google domain without deleting the existing group and creating a new one with the new email address.
Example: objectGUID |
You might need GCDS to add a prefix or suffix to the value that your LDAP server provides for a mailing list's email address or its members' email addresses. Specify any prefixes or suffixes on the Prefix-Suffixtab of the Groupspage.
Example: groups-
Example: -list
Enable invalid characters replacement
Invalid character replacement
If you check the box, spaces and invalid characters in an email address are replaced with the string specified in the Invalid character replacementfield.
If you check the box but leave the field blank, GCDS removes spaces and invalid characters from the address.
Example
The email address on the LDAP server isx y\z@example.com.
- If you add an underscore (_) to the Invalid characters replacementfield, GCDS converts the email address to x_y_z@example.com.
- If the Invalid characters replacement field is left blank, GCDS converts the email address to xyz@example.com.
Specify how the manager role is synced for Google Groups on the on the Search rulestab of the Groupspage.
Notes:
- Active Directory does not support a group manager role. How GCDS synchronizes the Google Groups manager role is detailed below.
- GCDS doesn't provision manager roles during the synchronization process.
| Configuration settings | Description |
|---|---|
| Skip managers from sync | Manager roles are ignored in the sync. GCDS doesn’t make any modifications to the role. |
| Keep managers | If the user doesn't have an owner or member role in your LDAP data, the manager role in Google is retained. The manager role in Google is removed and replaced if the user has an owner or member role in your LDAP data. |
| Sync managers based on LDAP server | The manager role in Google is removed and replaced if the user has an owner or member role in your LDAP data. If the user isn't a member of the group in your LDAP data, they're removed from the Google Group (including the manager role). |
Specify how to manage your Google Groups on the Search rulestab of the Groupspage.
| Group deletion policy setting | Description |
|---|---|
| Don’t delete Google Groups not found in LDAP | If checked, Google Group deletions in your Google domain are disabled, even when the Groups aren't in your LDAP server. |
Contacts & calendars
Expand section | Collapse all & go to top
Specify what attributes GCDS will use when generating the LDAP shared contacts on the Shared Contactspage.
| LDAP Shared Contact attribute | Description |
|---|---|
| Sync key | An LDAP attribute that contains a unique identifier for the contact. Choose an attribute present for all your contacts that isn't likely to change, and which is unique for each contact. This field becomes the ID of the contact. Examples: dn or contactReferenceNumber |
| Full name | The LDAP attribute or attributes that contain the contact’s full name. Example: [prefix] - [givenName] [sn] [suffix] |
| Job title | LDAP attribute that contains a contact’s job title. This field can be comprised of multiple concatenated fields, using the same syntax as the Full Name attribute above. |
| Company name | LDAP attribute that contains a contact’s company name. |
| Assistant’s DN | LDAP attribute that contains the LDAP Distinguished Name (DN) of the contact’s assistant. |
| Manager’s DN | LDAP attribute that contains the LDAP DN of the contact’s direct manager. |
| Department | LDAP attribute that contains a contact’s department. This field can be comprised of multiple concatenated fields, using the same syntax as the Full Name attribute above. |
| Office location | LDAP attribute that contains a contact’s office location. This field can be comprised of multiple concatenated fields, using the same syntax as the Full Name attribute above. |
| Work email address | LDAP attribute that contains a contact’s email address |
| Employee ids | LDAP attribute that contains a contact’s employee ID number. |
| Work phone numbers | LDAP attribute that contains a contact’s work phone number. |
| Home phone numbers | LDAP attribute that contains a contact’s home phone number. |
| Fax numbers | LDAP attribute that contains a contact’s fax number. |
| Mobile phone numbers | LDAP attribute that contains a contact’s personal mobile phone number. |
| Work mobile phone numbers | LDAP attribute that contains a contact’s work mobile phone number. |
| Assistant’s Number | LDAP attribute that contains a work phone number for a contact’s assistant. |
| Street Address | LDAP attribute that contains the street address portion of a contact’s primary work address. |
| P.O. Box | LDAP attribute that contains the P.O. Box of a contact’s primary work address. |
| City | LDAP attribute that contains the city of a contact’s primary work address. |
| State/Province | LDAP attribute that contains the state or province of a contact’s primary work address. |
| ZIP/Postal Code | LDAP attribute that contains the ZIP code or postal code of a contact’s primary work address. |
| Country/Region | LDAP attribute that contains the country or region of a contact’s primary work address. |
Specify the attributes you want GCDS to use when generating the LDAP calendar resources list on the Calendar Resourcespage.
| LDAP Calendar attribute setting | Description |
|---|---|
| Resource Id | The LDAP attribute contains the ID of the calendar resource. This is a field managed on your LDAP system, which may be a custom attribute. This field must be unique. Important: Calendar Resources won't sync an LDAP attribute which contains spaces or illegal characters such as the at sign (@) or colon (:). For more information on calendar resource naming, see Resource naming recommendations . |
| (Optional) Display Name | The LDAP attribute that contains the name for the calendar resource. Example: [building]-[floor]-Boardroom-[roomnumber] In this example, building, floor, and roomnumberare LDAP attributes. Following a sync, these attributes are replaced by the appropriate value, for example, Main-12-Boardroom-23. |
| (Optional) Description | The LDAP attribute that contains a description of the calendar resource. Example: [description] |
| (Optional) Resource Type | The LDAP attribute or attributes that contain the calendar resource type. Important: Calendar Resources does not sync an LDAP attribute which contains spaces or illegal characters such as the at sign (@) or colon (:). |
| (Optional) Mail | The LDAP attribute that contains the calendar resource email address. This attribute is only for use with the Export Calendar resource mappingCSV export option. GCDS doesn't set the email address of Google Calendar resources. |
| (Optional) Export Calendar resource mapping | Generates a CSV file listing LDAP calendar resources and their Google equivalents. Use a CSV file with Google Workspace Migration for Microsoft Exchange (GWMME) to migrate the contents of your Microsoft Exchange calendar resources to the appropriate Google calendar resources. To learn more about GWMME, go to What is GWMME? |
Related topics
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.
