Troubleshooting the integration of Google Apps with the organization's SSO system

Google Apps is great for your organization, because it provides so many applications and tools.

These days, the first thing to consider when planning to deploy a new IT system is its integration with existing IT infrastructure. Google Apps provides single sign-on (SSO) login integration, which can use your organization's central SSO service.


I highlight below the main problems somebody could encounter during the deployment and integration of Google Apps in an organization.

The first thing to note is that in Google Apps, all users MUST exist in its user base in order for them to login. This behavior is not as obvious as somebody would expect, as other systems, automatically insert new users on first login.

And here comes the infamous Google Apps Directory Sync (GADS), which will do just that. I am not sure if Murphy has a law for this, but I say that "when you don't expect problems to happen, they will". More problems and solutions here...

The instructions below assume a Linux box, but the are similar for Windows.

First, download and install GADS. Default installation path is: /opt/GoogleAppsDirSync

If your LDAP is SSL, then you have to install the certificates. The certificates are stored by default in the file cacerts which is located in the jre/lib/security directory of your GADS installation.

Install the SSL certificates:
sudo keytool
-keystore /path-to-GADS/jre/lib/security/cacerts 
-import -trustcacerts -storepass changeit 
-file /path-to-your-certificates/certificate.pem

Show all installed SSL certificates:
sudo keytool -list -keystore /path-to-GADS/jre/lib/security/cacerts

Now test the connection to your SSL LDAP. Start GADS by running:
sudo config-manager

Now go to the LDAP Configuration tab and fill the form:
Connection Type: :LDAP+SSL
Host Name: enter you ldap host or IP
Port: Default is 389, but in many cases the SSL LDAP is on another port, so ask your LDAP administrator
Authentication Type: Simple
Authorized User: Be careful here! I spent hours on this, because I was trying usernames of the form "xxx@example.com" which were wrong. The trick here is that you must enter the full DN of the user which will be searching the whole LDAP tree in order to find the users to be updated in Google Apps user base. If you don't use the correct DN, then you will get the following error message:
Initializing...
Error: Connection failed
Exception: javax.naming.InvalidNameException: [LDAP: error code 34 - Invalid DN]

Which will probably confuse you because you might think that you gave a wrong Base DN which is not the case. In order to find the full dn, you can do an ldap search, eg:
ldapsearch -x "(uid=xxx)" dn 

Where xxx is the username which will be used.

Base DN: Enter your organization's DN. It should be something like:
DC=example,DC=com
If you haven't entered a valid Base DN then you might get an error similar to this:
Initializing...
Error: Unable to find specified object
Exception: javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name ''

That's it! Now click Test Connection and you should be OK

Finally, if your configuration runs smoothly, you could schedule the synchronization e.g. every day using cron with the command line tool sync-cmd, like this:
sudo sync-cmd -a -o -c config.xml

1 comment: