Saturday, March 10, 2012

Google Directory Synchronization with OpenDJ on Ubuntu 10.04 LTS

Synchronizing User Names

We use OpenDJ for authentication and we also use Google Apps for email and calendaring. We want to minimize the number of passwords that people must remember. Fortunately, Google has a utility that synchronizes our Google Apps domain with our OpenDJ LDAP server.

We've packaged it. The source code is available here.


Install the package with the following:

$ sudo apt-get install bbgads

You'll be asked a series of questions about your LDAP configuration and your Google Apps domain.

Once you've completed the installation, you must complete a few extra steps.

$ cd /opt/bbgads/current
$ sudo -u root ./config-manager

This will bring up the Configuration Manager and enable you to set two passwords: your Google Apps administrator password and your LDAP server password.

Go to File -> Open and choose /etc/gads/gads.xml

It will complain about your passwords. Just click Ok. There will be a hierarchy of settings on the left. Choose Configure -> Google Apps -> Settings and set the password for your administrator. Click the Test Connection button at the bottom. Next, go to Configure -> LDAP Settings -> LDAP Connection and set your LDAP password. There is a Test Connection button for this as well.

Finally, go to File -> Save and save your changes.

Going Live

You should use OAuth authentication to go live. Use the config-manager application to enable it.

The default configuration for /opt/bbgads/current/ does NOT push any changes to Google. Before you push changes, be sure to check /var/log/gads/directory-sync.log to see what changes will be applied.

If you are happy with the proposed changes, edit /opt/bbgads/current/ and add an -a to the command. Precise instructions are included in the file.

Non-Google Users

You may find that you want to store users in your LDAP directory that are not needed in Google Apps. My solution has been to search for sambaSamAccount users and only synchronize them. My local users generally need access to Samba services. That way, I can create posixAccount users with ldapadduser instead of smbpasswd -a that can be authenticated but are not synchronized with the Google Apps domain.