Cool Solution - Synchronize users with Google Apps
From Univention Wiki
Note: Cool Solutions are articles documenting additional functionality based on Univention products.
Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.
Google offers a comprehensive array of groupware, file sharing, online office and related services. This article describes how to synchronize the users of your UCS Domain with your Google Apps domain. See Google App Directory Sync
Contents
Passwords
The passwords stored within UCS are too strongly encrypted to be synchronized using the connector.
Therefore SAML has to be used for offering unified management and access to the online services. See SAML - Google Apps on how to setup the SAML APP from the Univention Appcenter with Google Apps.
If you are planing to use non-Web applications in conjunction with Google Apps we recommend the usage of one-time passwords.
Installation of the Synchronization Service
As the server needs to make regular connections to the Internet as well as access the LDAP, it is a good idea to install the service on a DC Slave. This ensures that the synchronization service has a local LDAP available while not being able to take over the domain or make changes to the LDAP. Furthermore you will either need a local desktop environment on the Server or use a different Linux workstation within the Domain to create the users. Please note that the connector needs to run as the same user, that created the configuration file. We therefore recommend a dedicated user in the LDAP to use the Sync client.
The installation script can be downloaded directly from [google]. You can download the 64 bit version using the following command
wget -P /tmp/ http://dl.google.com/dirsync/dirsync-linux64.sh
Afterwards the script has to be made executable and can be run
chmod +x /tmp/dirsync-linux64.sh /tmp/dirsync-linux64.sh
Answer all questions as you see fit. In most cases the default settings should be sufficient.
Configuration
We will only refer to the UCS specific settings here. Please refer to the official manual for all other questions. GADS Admin guide
To configure the Google Apps synchronization service log into your server and open a terminal emulator, for example konsole. Here you can start the configuration dialog for the synchronization service. If you installed it in the default path you can use the following command
/opt/GoogleAppsDirSync/config-manager
LDAP Configuration
For connecting to the LDAP you will need to provide an account, which can reed the LDAP. As the LDAP connection will not be able to synchronize the passwords to Google Apps, a normal user will be sufficient, it can even be the user running the synchronization script.
Then select the following settings in the tab LDAP Configuration:
| Name | Entry |
|---|---|
| Server Type | OpenLDAP |
| Connection Type | Standard LDAP |
| Host Name | <local hostname> |
| Port | 7389 |
| Authentication Type | Simple |
| Authorized User | <DN of the new user> |
| Password | <Password of the user> |
| Base DN: | <Result of ucr get ldap/base> |
User Accounts
In the category User Accounts add the following Search Rule
objectClass=person
In the tab Additional User Attributes you will have to enter the following attributes
| Name | Entry |
|---|---|
| Given Name Attribute(s) | givenName |
| Family Name Attribute(s) | sn |
Choose a length of the random password that conforms with the requirements of your organization.
