Cool Solution - Synchronize users with Google Apps

From Univention Wiki

Revision as of 12:51, 18 September 2012 by Mangels (talk | contribs)
Jump to: navigation, search

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.
Produktlogo UCS Version 3.0

Google offers a complex array of groupware, online office and related services. This article describes how to synchronize the users of your UCS Domain with your Google Apps domain.

Installation of the Synchronization Service

As the server needs to make regular connections to the internet as well as access the LDAP, it is a good idea to install the service on a DC Slave. This ensures that the synchronization service has a local LDAP available while not being able to take over the domain or make changes to the LDAP. Furthermore the server needs to have a local desktop environment installed to configure the service.

The installation files can be downloaded directly from [google]. You can download it using the following command

wget -P /tmp/

Afterwards the script has to be made executable and can be run

chmod +x /tmp/

Answer all questions as you see fit. In most cases the default settings should be sufficient.


To configure the Google Apps synchronization service log into your server and open a terminal emulator, for example konsole. To become root use the following command


Afterwards run the configuration dialog for the synchronization service with the following command


LDAP Configuration

For the LDAP connection you need to create an Domain Admin account to syncronize the passwords to Google Apps. Set the shell to


to disallow any logins. Then select the following settings in the tab LDAP Configuration:

Name Entry
Server Type OpenLDAP
Connection Type Standard LDAP
Host Name <local hostname>
Port 7389
Authentication Type Simple
Authorized User <DN of the new user>
Password <Password of the user>
Base DN: <Result of ucr get ldap/base>

User Accounts

In the category User Accounts add the following Search Rule


In the tab Additional User Attributes you will have to enter the following attributes

Name Entry
Given Name Attribute(s) givenName
Family Name Attribute(s) sn
Password Attribute userPassword
Password Encryption Method SHA1

Known Limitations

The synchronization does not work with the AD connector or passwords being changed using Samba 4.

Personal tools