Difference between revisions of "Cool Solution - Synchronize users with Google Apps"

From Univention Wiki

Jump to: navigation, search
(→‎User Accounts: Added table class)
m (Removed links to deleted pages.)
 
Line 1: Line 1:
{{Cool Solutions Disclaimer|Repository=no|UCS=3.2}}
+
Please refer to the appropriate in the App Center: http://www.univention.de/appid/google-apps/.
 
 
Google offers a comprehensive array of groupware, file sharing, online office and related services. This article describes how to synchronize the users of your UCS Domain with your Google Apps domain. See [http://google.com/apps/directorysync Google App Directory Sync]
 
 
 
== Passwords ==
 
The passwords stored within UCS are too strongly encrypted to be synchronized using the connector.
 
 
 
Therefore SAML has to be used for offering unified management and access to the online services. See [[SAML Identity Provider#Example configuration of Google Apps for business as a service provider| SAML - Google Apps]] on how to setup the SAML APP from the Univention Appcenter with Google Apps.
 
 
 
If you are planing to use non-Web applications in conjunction with Google Apps we recommend the usage of one-time passwords.
 
 
 
== Installation of the Synchronization Service  ==
 
 
 
As the server needs to make regular connections to the Internet as well as access the LDAP, it is a good idea to install the service on a DC Slave. This ensures that the synchronization service has a local LDAP available while not being able to take over the domain or make changes to the LDAP. Furthermore you will either need a local desktop environment on the Server or use a different Linux workstation within the Domain to create the users. Please note that the connector needs to run as the same user, that created the configuration file. We therefore recommend a dedicated user in the LDAP to use the Sync client.
 
 
 
The installation script can be downloaded directly from [[http://google.com/apps/directorysync google]]. You can download the 64 bit version using the following command
 
<pre>wget -P /tmp/ http://dl.google.com/dirsync/dirsync-linux64.sh
 
</pre>
 
Afterwards the script has to be made executable and can be run
 
<pre>chmod +x /tmp/dirsync-linux64.sh
 
/tmp/dirsync-linux64.sh
 
</pre>
 
Answer all questions as you see fit. In most cases the default settings should be sufficient.
 
 
 
== Configuration  ==
 
 
 
We will only refer to the UCS specific settings here. Please refer to the official manual for all other questions. [http://www.google.com/support/enterprise/static/gapps/docs/admin/en/gads/admin/toc.html GADS Admin guide]
 
 
 
To configure the Google Apps synchronization service log into your server and open a terminal emulator, for example ''konsole''. Here you can start the configuration dialog for the synchronization service. If you installed it in the default path you can use the following command
 
<pre>
 
/opt/GoogleAppsDirSync/config-manager
 
</pre>
 
 
 
=== LDAP Configuration  ===
 
 
 
For connecting to the LDAP you will need to provide an account, which can reed the LDAP. As the LDAP connection will not be able to synchronize the passwords to Google Apps, a normal user will be sufficient, it can even be the user running the synchronization script.
 
 
 
Then select the following settings in the tab ''LDAP Configuration'':
 
 
 
{| cellspacing="1" cellpadding="1" border="2" width="200" class="wikitable"
 
|-
 
! Name
 
! Entry
 
|-
 
| Server Type
 
| OpenLDAP
 
|-
 
| Connection Type
 
| Standard LDAP
 
|-
 
| Host Name
 
| &lt;local hostname&gt;
 
|-
 
| Port
 
| 7389
 
|-
 
| Authentication Type
 
| Simple
 
|-
 
| Authorized User
 
| &lt;DN of the new user&gt;
 
|-
 
| Password
 
| &lt;Password of the user&gt;
 
|-
 
| Base DN:
 
| &lt;Result of ''ucr get ldap/base''&gt;
 
|}
 
 
 
=== User Accounts ===
 
In the category ''User Accounts'' add the following ''Search Rule''
 
<pre>
 
objectClass=person
 
</pre>
 
In the tab ''Additional User Attributes'' you will have to enter the following attributes
 
{| cellspacing="1" cellpadding="1" border="2" width="200" class="wikitable"
 
|-
 
! Name
 
! Entry
 
|-
 
|Given Name Attribute(s)
 
|givenName
 
|-
 
|Family Name Attribute(s)
 
|sn
 
|}
 
 
 
Choose a length of the random password that conforms with the requirements of your organization.
 
 
 
== Links ==
 
 
 
* [[SAML Identity Provider#Example configuration of Google Apps for business as a service provider| SAML Google Apps]]
 
* [http://docs.univention.de/manual-3.2.html#introduction:LDAP_directory_service UCS Admin guide LDAP]
 
* [http://google.com/apps/directorysync Google Apps Directory Sync (GADS)]
 
* [http://www.google.com/support/enterprise/static/gapps/docs/admin/en/gads/admin/prep_about.html#996361 GADS getting started ]
 
* [http://www.google.com/support/enterprise/static/gapps/docs/admin/en/gads/admin/toc.html GADS Admin guide]
 
* [http://dl.google.com/dirsync/dirsync-linux64.sh Download GADS Linux 64-bits]
 
  
 
[[Category:Howtos]]
 
[[Category:Howtos]]
 
[[Category:EN]]
 
[[Category:EN]]

Latest revision as of 12:17, 15 July 2016

Please refer to the appropriate in the App Center: http://www.univention.de/appid/google-apps/.

Personal tools