Cool Solution - Synchronize users with Google Apps

From Univention Wiki

Revision as of 10:33, 7 April 2014 by Smidt (talk | contribs)
Jump to: navigation, search
Produktlogo UCS Version 3.2

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.


Google offers a comprehensive array of groupware, file sharing, online office and related services. This article describes how to synchronize the users of your UCS Domain with your Google Apps domain. See Google App Directory Sync

Passwords

The passwords stored within UCS are too strongly encrypted to be synchronized using the connector.

Therefore SAML has to be used for offering unified management and access to the online services. See SAML - Google Apps on how to setup the SAML APP from the Univention Appcenter with Google Apps.

If you are planing to use non-Web applications in conjunction with Google Apps we recommend the usage of one-time passwords.

Installation of the Synchronization Service

As the server needs to make regular connections to the Internet as well as access the LDAP, it is a good idea to install the service on a DC Slave. This ensures that the synchronization service has a local LDAP available while not being able to take over the domain or make changes to the LDAP. Furthermore you will either need a local desktop environment on the Server or use a different Linux workstation within the Domain to create the users. Please note that the connector needs to run as the same user, that created the configuration file. We therefore recommend a dedicated user in the LDAP to use the Sync client.

The installation script can be downloaded directly from [google]. You can download the 64 bit version using the following command

wget -P /tmp/ http://dl.google.com/dirsync/dirsync-linux64.sh

Afterwards the script has to be made executable and can be run

chmod +x /tmp/dirsync-linux64.sh
/tmp/dirsync-linux64.sh

Answer all questions as you see fit. In most cases the default settings should be sufficient.

Configuration

We will only refer to the UCS specific settings here. Please refer to the official manual for all other questions. GADS Admin guide

To configure the Google Apps synchronization service log into your server and open a terminal emulator, for example konsole. Here you can start the configuration dialog for the synchronization service. If you installed it in the default path you can use the following command

/opt/GoogleAppsDirSync/config-manager

LDAP Configuration

For connecting to the LDAP you will need to provide an account, which can reed the LDAP. As the LDAP connection will not be able to synchronize the passwords to Google Apps, a normal user will be sufficient, it can even be the user running the synchronization script.

Then select the following settings in the tab LDAP Configuration:

Name Entry
Server Type OpenLDAP
Connection Type Standard LDAP
Host Name <local hostname>
Port 7389
Authentication Type Simple
Authorized User <DN of the new user>
Password <Password of the user>
Base DN: <Result of ucr get ldap/base>

User Accounts

In the category User Accounts add the following Search Rule

objectClass=person

In the tab Additional User Attributes you will have to enter the following attributes

Name Entry
Given Name Attribute(s) givenName
Family Name Attribute(s) sn

Choose a length of the random password that conforms with the requirements of your organization.

Links

Personal tools