Jump to CustomersLinton > Linton > GoogleApps

Linton G Suite Configuration

Service accounts

• On the remote side gads@lvc.org which is a super administrator
• On the local side gads@linton.internal which is a standard user account with no e-mail address set

Which users and groups are synced?

For users it's down to this single LDAP filter:

(&(objectCategory=person)(objectClass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(userAccountControl:1.2.840.113556.1.4.803:=65536)))

i.e. to sync a user:

• mail field must not be empty
• account must not be disabled
• account must not be set to have a password that never expires

Since the local gads account has no e-mail address set, it will never be matched with the remote gads account, and so password can remain independent on both sides.

Group sync is currently disabled.

How to test the sync

• Script to run a test sync is GADSSyncTest.ps1 on desktop on management
• Log can be viewed at \\gads\c$\Logs\GADS_report.txt
• A test sync is also recorded in the main log file

• Can also be run via a Scheduled Task:

How to actually sync

• A real sync is recorded in the main log file and also sent via e-mail
• Currently scheduled for 03:45 every weekday
• Script to run a test sync is GADSSyncReal.ps1 on desktop on management
• If results are unexpected (referencing non-existent objects, adding -f to the sync command (not the Powershell command) will flush the local cache

• Can also be run via a Scheduled Task:

Sync configuration

• Log file C:\Logs\GADS_sync.log
• Config file C:\Config\lvc.xml

Global exclusion:

• Type: Organization Complete Path
• Match Type: Exact Match
• Exclusion Rule: /Devices

This stops the Devices OU being removed and the enrollment user which is inside it being suspended.

Sync is enabled for:

• Organizational Units
• User Accounts

Connection:

• primary domain: lvc.org
• OAuth: gads@lvc.org
• Proxy: proxy:3128
• No global exclusion rules

LDAP settings:

• type: MS Active Directory
• connection: Standard LDAP
• hostname: dc01.linton.internal
• port: 389
• authentication: simple
• user: gads@linton.internal
• password: <password>
• base dn: DC=linton,DC=internal

OU settings:

• map ldap DN OU=User Accounts,DC=linton,DC=internal to Google OU /
• filter rule: (objectclass=organizationalunit)
• filter scope: subtree
• base dn: OU=Staff,OU=User Accounts,DC=linton,DC=internal
• filter rule: (objectclass=organizationalunit)
• filter scope: subtree
• base dn: OU=Students,OU=User Accounts,DC=linton,DC=internal

User settings:

• email attribute: mail
• unique identifier: objectGUID
• alias attribute: proxyAddresses
• suspend users not found in LDAP (don't delete them)
• don't suspend or delete Google Apps admins no found in LDAP
• given name: givenName
• family name: sn
• set password for new users only (random 50 characters)
• place users: based on OU mapping
• search rule: (&(objectCategory=person)(objectClass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(userAccountControl:1.2.840.113556.1.4.803:=65536)))
• search scope: subtree
• base DN: OU=Staff,OU=User Accounts,DC=linton,DC=internal
• search rule: (&(objectCategory=person)(objectClass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(userAccountControl:1.2.840.113556.1.4.803:=65536)))
• search scope: subtree
• base DN: OU=Students,OU=User Accounts,DC=linton,DC=internal

Password Sync

Authentication method

Service account was created through the Google Developers Console, in a project called GAPS (Admin SDK enabled).

• Service account created (private key)
• Enabled Google Apps Domain-wide Delegation
• clientid authorised for the scope: https://www.googleapis.com/auth/admin.directory.user

Project owners are:

• daniel.turner@lvc.org
• morgan.willcock@lvc.org
• phil.reeves@lvc.org
• stephen.borrill@lvc.org

Service

• Service installed on DC01 and DC02
• Password changes handled by the service are recorded in Event Logs