Cool Solution - Synchronize users with Google Apps

From Univention Wiki

Revision as of 12:46, 18 September 2012 by Mangels (talk | contribs)
Jump to: navigation, search
Produktlogo UCS Version 3.0

Google offers a complex array of groupware, online office and related services. This article describes how to synchronize the users of your UCS Domain with your Google Apps domain.

Installation of the Synchronization Service

As the server needs to make regular connections to the internet as well as access the LDAP, it is a good idea to install the service on a DC Slave. This ensures that the synchronization service has a local LDAP available while not being able to take over the domain or make changes to the LDAP. Furthermore the server needs to have a local desktop environment installed to configure the service.

The installation files can be downloaded directly from [google]. You can download it using the following command

wget -P /tmp/ http://dl.google.com/dirsync/dirsync-linux.sh

Afterwards the script has to be made executable and can be run

chmod +x /tmp/dirsync-linux.sh
/tmp/dirsync-linux.sh

Answer all questions as you see fit. In most cases the default settings should be sufficient.

Configuration

To configure the Google Apps synchronization service log into your server and open a terminal emulator, for example konsole. To become root use the following command

su

Afterwards run the configuration dialog for the synchronization service with the following command

/opt/GoogleAppsDirSync/config-manager

LDAP Configuration

For the LDAP connection you need to create an Domain Admin account to syncronize the passwords to Google Apps. Set the shell to

/bin/false

to disallow any logins. Then select the following settings in the tab LDAP Configuration:

Name Entry
Server Type OpenLDAP
Connection Type Standard LDAP
Host Name <local hostname>
Port 7389
Authentication Type Simple
Authorized User <DN of the new user>
Password <Password of the user>
Base DN: <Result of ucr get ldap/base>

User Accounts

In the category User Accounts add the following Search Rule

objectClass=person

In the tab Additional User Attributes you will have to enter the following attributes

Name Entry
Given Name Attribute(s) givenName
Family Name Attribute(s) sn
Password Attribute userPassword
Password Encryption Method SHA1

Known Limitations

The synchronization does not work with the AD connector or passwords being changed using Samba 4.

Personal tools