Thursday, February 4, 2010

Google Apps Directory Sync - Specific Group/OU Selection

Over the past year people have asked me how they can go about deploying Google Apps in their organization, and how they can do it on a limited basis at first.  That answer is a bit more complex than I want to tackle today, but in the last few days I had a colleague in a local school district ask how he could deploy a few accounts while still using GADS.  That is something I will tackle today, if you would like to follow along, I would hope you have some experience (at least installing) Google Apps Directory Sync.

The situation here is the following, my colleague wanted to create a group in Active Directory, and then when specific users needed to have accounts in Google Apps, he would just drop them into there, and the next run of GADS will create the accounts in Google Apps.  I knew this could be done, but had never done it, so here without further ado is what is necessary.  After the break you will find the entire instructions for successfully setting this up.

Below you will see the standard interface for GADS, if you have not done anything else, you will need to setup the connection to your LDAP (Active Directory here) server, and of course your Google Apps administrator account for your domain.

Once you have your connections correct (you can use the test connection button to test this), you can step through the wizard to get yourself to the user sync section which by default looks like below:

From here you have a couple of options, and they all depend on how you are going to organize your users in Active Directory.  I will show two methods here: one if you had already created an OU with these users you wanted to sync, and another which is what my colleague was looking for and that is if you have created a specific group.

To setup the user sync rules in the above screen takes some minor knowledge of LDAP queries and how your directory is structured.  If you have no knowledge of LDAP queries, I will give you what you need to enter to achieve the desired result.  The first thing you need to do in either case is to find the group or OU that you want to select and know how to find this using LDAP queries.  Below you will see the standard interface of the Active Directory Users and Computers tool.  Here you can move through the tree of your directory and navigate to where you want to be.  You will need to remember what you need to do to get to this location again in the tree structure of your directory.

Below is a screen shot from Softerra LDAP Browser 2.6, a free program I downloaded which will allow you to browse the entire LDAP structure, not just what you can see in AD U&C.  There are many programs that will do this, but this is one I found to easily provide the information I need.

You will see the left hand pane is much like AD U&C, but it is the raw LDAP data, you will need to browse through your directory to get to exactly where your group or OU exists.  Once you have that highlighted, you have all the information you need from LDAP up in the title bar of the application which is the LDAP address of what you are looking for.  It will appear in a format such as this: OU=Example,DC=YOUR,DC=DOMAIN,DC=HERE.  I won't go into explaining that today, but just know there is a lot more behind that.

Once you have your LDAP information, we can go back to the configuration manager tool for GADS, and enter that information in.  Below is the screen for creating a rule to include an entire OU:

In a typical rule window you need to create the filter (what information you want) and where it is located.  For this rule above, we want to select all users, hence the objectclass=user in the rule section, and then in the Base DN section, that is where you will enter the location of your OU that we found in the previous step.  Once you enter these two simple things, you will then include just that OU of users into GA.

Now moving onto creating a rule for an entire group, this process is much like the above step but we will use the default Base DN that you setup earlier, and not fill anything in there, and all the configuration will exist in the rules section.

You will see above that the rule is much more complicated but I add it below and show you what you need to change:

LDAP Query:

In this entire line the part you need to change out is the section after memberOf= and ending with edu, and you will change that out with your group that you located using the LDAP Browser above.

The rest simply queries that they only want users who are real persons that are a member of the group listed.

That is all that is necessary to setup GADS to sync only specific entries in your LDAP directory.  It seems to be a bit complicated when first looking into it, but with the help of a couple of Google searches and the above article, I hope you can get it figured out.  If you have any questions, please let me know and I will do the best I can to help you.

1 comment:

KJ said...

Works beautifully! Thanks, Kris!