This series covers the installation and configuration of Google Apps Directory Sync. This, the second part of the series, covers the Google Apps Configuration options of Google Apps Directory Sync.
Google Apps Configuration – Connection Settings
The Connection Settings tab allows you to tell GADS how to connect via the Internet to your Google Apps domain. On the first tab, Connection Settings, enter your Google Apps domain name in the Primary Domain Name box.
The “Replace domain names in LDAP email addresses” check box gives you the option to replace domain names in your LDAP (Active Directory) account email addresses with your Google Apps domain name. So, if your AD account email addresses are Steve.Jobs@school.beds.sch.uk but your Google Apps domain is @superschool.com your Google Apps account email addresses will be converted to Steve.Jobs@superschool.com
Ideally you will keep the same domain name and not need to use this option as this raises synchronisation issues later on, but I’ll cover that in another post.
The Authorisation section allows you to choose how GADS authenticates with Google Apps. There are two options here:
- Authorise using OAuth: This is the recommended option as it authenticates with Google Apps using an authentication token rather than a specific user account. This has the advantage of not being reliant on a account that may become disabled or have the password change resulting in synchronisation failing.
- User your Administrator Credentials: This option authenticates with Google Apps using a Google Apps account. This option is slightly more straight forward, but relies on the user account and password remaining unchanged. If you are using this option it is a good idea to set up an account specifically for this purpose to reduce the change of account changes affecting synchronisation.
Google Apps Configuration – Proxy Settings
The Proxy Settings tab allows you to enter the details of your local proxy server through which GADS will access the Internet. The options available are:
- Hostname: Name or IP address of your internal proxy server.
- Port: Port used to connect to your proxy server (most commonly 8080 or 80)
- User Name: If your proxy server requires authentication enter a local domain user name here.
- Password: If your proxy server requires authentication enter a the password for the account here.
You only need to enter HTTP Proxy information at the bottom of the page if the configuration is different to that above.
Google Apps Configuration – Exclusion Rules
Important! By default Google Apps Domain Sync will remove any account from Google Apps that does not exist on your Active Directory. If you have Google Apps accounts that you wish to keep that are not in AD you should use the Exclusion rules options.
To add an exclusion rule click the “Add Exclusion Rule” button. You will be presented with the following window:
There are two options here which are configurable:
- Type: The type of data to match against a user account. For example, an email address, Google Apps organisation path, or group name.
- Match Type: The method used to match the data against
Let’s make this a bit simpler!
To exclude single user from being removed you can simply identify that user by email address. So, if the user’s address is Steve.Balmer@school.beds.sch.uk do the following:
- Select User Email Address from the Type drop down menu
- From the Match Type drop down select Exact Match
- In the Exclusion Rule box type the user’s email address “Steve.Balmer@school.beds.sch.uk”
- Click OK
You can only enter one email address per exclusion rule so, if you have multiple users you wish to exclude, this can become cumbersome. To get around this issue you can use the Substring Match option from the Match Type drop down.
Substring Match allows you to exclude multiple users based on only part of one of their account variables. Let’s say that you have a two users, firstname.lastname@example.org and email@example.com that you want to exclude from being deleted. You can use the Subtring Match option to exclude only users with the string “english” somewhere in the email address.
The final option is to use a regular expression to identify the user account(s). Regular expressions give much more control over identifying which accounts to exclude than the Substring Match option, and you can develop quite complex rules using this option. I don’t want to go too in-depth into regular expressions as it would probably fill several pages and isn’t really relevant to this topic, the best way to demonstrate this is with the examples Google give:
User Name the regular expression team[3-9]@example.com excludes firstname.lastname@example.org through email@example.com.
Group Name: the regular expression Local Team – [A-Z][A-Z] excludes the “Local Team – NJ” and “Local Team – AZ” groups.
Member Name: the regular expression team[3-9]@example.com excludes firstname.lastname@example.org through email@example.com from groups synchronization.
For more detailed information, take a look at the Google Apps support website for more examples on how to use exclusion rules.