Hi and welcome to Google Cloud Directory Sync Demo. I'm Barry Schmell, a cloud trainer and course developer here at Google. Maintaining a local LDAP Directory such as Active Directory and a Google Cloud Directory separately is not recommended because it's highly inefficient and error-prone. This is especially true for larger organizations where directory changes are made on a daily basis. Google Cloud Directory Sync or GCDS solves these problems by automatically creating and synchronizing data such as user accounts that are stored in your LDAP Directory to Google Cloud. In the following demo, I'll show you how to configure a GCDS to provision users and a Google domain. Configuration Manager is the step-by-step user interface that guide you through creating, testing, and running a directory sync using GCDS. With Configuration Manager, you can set up and test the connection to your Google domain LDAP Server, configured the LDAP search criteria to identify which users groups or other data to synchronize, set-up notifications and logging, verify your settings, run a simulated synchronization and even apply the changes. Configuration Manager uses an XML file to store your configuration settings. You can save or load a configuration file to store sync settings for later. To save your configuration file, click, File, Save from the top menu. Similarly, to open an existing configuration file, click, File, Open Recent. I'd like to show you how to use GCDS to sync LDAP users with your Google domain. In this demo, I'll be using the domain galaxysola.com. Here in the first tab called Google domain configuration, you identify your Google domain. I entered my primary domain name, galaxysola.com, then select replaced domain names and LDAP e-mail addresses of users in groups with this domain name. This consolidates all users and groups to your primary domain. If you're working with multiple domains, do not select this option. Click, Authorize Now, to walk through the steps to sign into your Google domain, grant access to GCDS, and then generate a verification code. Now copy and paste that verification code. When you click Validate, GCDS will automatically test the connection to your Google domain. If your connection fails, try again and ensure that you copied the correct code, you didn't add leading and trailing spaces, and the machines day time and time zone are correct. You can limit which users to import in sync by adding exclusion rules. This can for example exclude your administrator or other user accounts from being deleted from your Google domain if they don't exist in your LDAP. Remember, your LDAP is the single source of truth. On the connection settings tab, you specify how your Google domain will connect to your LDAP Directory Server. Enter the LDAP connection settings including hostname, port number, and base DN or distinguished name, which is the starting point or root for LDAP searches. Then click Tests connection to verify connection to LDAP. In general settings, you determine which data you're going to sync. For this demo, I've selected user accounts. If you're also syncing groups you would select groups. Now let's take a look at the user accounts section. Here you're mapping the attributes from the LDAP Directory to your Google domain. If you're working with Active Directory, click Use Defaults, and it uses the most common attributes. In the Google Domain Users Deletion Suspension Policies section, GCDS defaults to Google's best practices. The suspend Google domain option results in these users being inactive in your Google domain instead of being deleted, while they don't suspend or delete Google Domain Admins option, prevents your admin users from accidentally being deleted from your Google domain. Let's take a look at the additional user attributes section. Here you define additional user information to map from the LDAP to your Google domain such as given name and family name. You also define your password synchronization policies. The default is to have GCDS generated an initial random password for your users. Alternatively, GCDS can synchronize the password from your LDAP if it's in one of the four supported password encoding formats: SHA1, MD5, Base64, or Plaintext. However, Active Directories password format is not supported and cannot be synchronized. So with Active Directory, you may want to use another tool such as G Suite Password Sync as your password synchronization solution. So how do you tell GCDS who your users are? Through setting up a Search Rule. You can add and customize your own Search Rule, or with Active Directory click Use Defaults, and GCDS will create a Search Rule for you. Let's look at the default Search Rule for Active Directory. Every LDAP object has an object category and object class. So we can distinguish whether it's a User Group or shared contact. In this example, the Search Rule will return only LDAP objects with the following attributes: an object class of user, an object category of person, and has an e-mail address. This Search Rule will only find users who have an email address in the LDAP. Then click Test LDAP Query, to see the results. This search results in 16 users and GCDS only shows you the first five. What if you have a complex LDAP environment? You'll probably need to add more than one Search Rule with more comprehensive criteria. The Exclusion Rules tab has two sections. On the top you can set limits on the number of users that GCDS can suspend or delete. If GCDS determines that it'll exceed either limit, it will generate an error and not sync any data. You can think of this as a safe guard so you don't inadvertently suspend or delete all your users. On the bottom, you can limit which users to import and sync from your LDAP by adding Exclusion Rules. On the Notification Testing tab, you can figure who gets notified every time GCDS does a sync. Enter the SMTP Relay Host, which can be your email server or Google, user credentials, the from address, and the two addresses are recipients. Click Test Notification, to verify that a notification can be sent. On the Logging Settings tab, you configure the logging parameters. Every time GCDS runs, the log file is updated with details of the sync. We'll go with the default file name and log level of info. Generally, you would only increase the log level to trace when you need to troubleshoot GCDS. But this can use large amounts of disk space. Once you've checked the validation results for any missing configuration tabs, you can test the synchronization. When you know that your settings are correct click Simulate Sync. GCDS will connect to your LDAP Directory and your Google domain and then generate a list of proposed changes for the simulated sync. It does not apply any changes. So this option is great to test your Search Rules and Exception Rules for the expected results without actually making changes to your Google domain. Click Sync and Apply Changes, to have GCDS apply the updates to your Google domain. Note, if your suspend or delete limits have been exceeded, then GCDS will log a error and not apply any changes. Don't forget to save your configuration settings by selecting File, Save. You can also run GCDS from the command line using the sync command. The sync command allows you to automate the synchronization process so you can schedule GCDS to run using a Linux cron job or Windows scheduled event. Let's look at some sync command examples. To run GCDS to simulate this synchronization, type sync command minus C, your XML configuration file name. To run GCDS and apply changes, just add the minus A option. Sync command minus C, your configuration file name, minus A. The sync command also provides other controls that let you override your configuration file settings. For a complete list of options, type sync command minus H. I hope this demo has been useful in showing you how to configure and run directory sync. There's a variety of information on our help center about installing GCDS, preparing your LDAP Directory and tips for a successful sync.
