Difference between revisions of "Cool Solution - Synchronize users with Google Apps"
From Univention Wiki
m (SAML link)
Revision as of 10:33, 7 April 2014
Google offers a comprehensive array of groupware, file sharing, online office and related services. This article describes how to synchronize the users of your UCS Domain with your Google Apps domain. See Google App Directory Sync
The passwords stored within UCS are too strongly encrypted to be synchronized using the connector.
Therefore SAML has to be used for offering unified management and access to the online services. See SAML - Google Apps on how to setup the SAML APP from the Univention Appcenter with Google Apps.
If you are planing to use non-Web applications in conjunction with Google Apps we recommend the usage of one-time passwords.
Installation of the Synchronization Service
As the server needs to make regular connections to the Internet as well as access the LDAP, it is a good idea to install the service on a DC Slave. This ensures that the synchronization service has a local LDAP available while not being able to take over the domain or make changes to the LDAP. Furthermore you will either need a local desktop environment on the Server or use a different Linux workstation within the Domain to create the users. Please note that the connector needs to run as the same user, that created the configuration file. We therefore recommend a dedicated user in the LDAP to use the Sync client.
The installation script can be downloaded directly from [google]. You can download the 64 bit version using the following command
wget -P /tmp/ http://dl.google.com/dirsync/dirsync-linux64.sh
Afterwards the script has to be made executable and can be run
chmod +x /tmp/dirsync-linux64.sh /tmp/dirsync-linux64.sh
Answer all questions as you see fit. In most cases the default settings should be sufficient.
We will only refer to the UCS specific settings here. Please refer to the official manual for all other questions. GADS Admin guide
To configure the Google Apps synchronization service log into your server and open a terminal emulator, for example konsole. Here you can start the configuration dialog for the synchronization service. If you installed it in the default path you can use the following command
For connecting to the LDAP you will need to provide an account, which can reed the LDAP. As the LDAP connection will not be able to synchronize the passwords to Google Apps, a normal user will be sufficient, it can even be the user running the synchronization script.
Then select the following settings in the tab LDAP Configuration:
|Connection Type||Standard LDAP|
|Host Name||<local hostname>|
|Authorized User||<DN of the new user>|
|Password||<Password of the user>|
|Base DN:||<Result of ucr get ldap/base>|
In the category User Accounts add the following Search Rule
In the tab Additional User Attributes you will have to enter the following attributes
|Given Name Attribute(s)||givenName|
|Family Name Attribute(s)||sn|
Choose a length of the random password that conforms with the requirements of your organization.