Sync groups & users to a Cloud Search identity source

Google Cloud Search uses an identity source to map user identities from third-party repositories. User identities can be stored in a Lightweight Directory Access Protocol (LDAP) server, such as Microsoft Active Directory. To synchronize Active Directory groups with your identity source, you can use Google Cloud Directory Sync (GCDS).

Note: If the user IDs you're syncing are defined by specific search and exclusion rules, then apply the new custom schema to a set of users. If not, then apply it to all user accounts.

Before you begin

• Set up GCDS to synchronize data from Active Directory.
• Create a service account and its credentials.
• Create an identity source in the Admin console. Copy its identity source ID.

Step 1: Turn on identity mapped groups

1. At the command line, enter one of the following commands:
   • Linux (from the directory of the installation): $ ./config-manager --enable-img 
   • Microsoft Windows: > config-manager.exe --enable-img
2. Open Configuration Manager.
3. In the left panel, click General Settings.
4. Check the Identity Mapped Groups checkbox.

   The Identity Mapped Groups option appears in the left panel.

Step 2: Add groups to sync

1. Open Configuration Manager.
2. In the left panel, click Identity Mapped Groups.
3. On the Search Rules tab, enter the following information:
   • Identity source ID (include the "identitysources/" part of the string)
   • Service account file path
4. Click Add Search Rule and enter the following information:
   • Scope
   • Rule
   • Group attributes
5. ​Click OK.

Next... 

• To test your search rule after you add it, click Test LDAP Query.
• You can add more search rules and GDCS syncs them all. Learn more about how to add LDAP search rules to synchronize data.
• To exclude groups that are returned from your search rules, click the Exclusion Rules tab. Learn how to use exclusion rules with GCDS.

Step 3: Sync user identities to Cloud Search

1. In the left panel, click Custom schemas.
2. Click Add schema.
3. Select either Define custom search rules or User rules defined in "User Accounts". For more details, see Sync custom user fields using a custom schema.
4. For Schema name, enter the identity source ID. Do not include "identitysources" in the ID.
5. For LDAP field name, enter the LDAP field that contains your external user identifier. This identifier is used in Cloud Search user principals with the form identitysources/source-id/users/user-identifier.
6. For Google field name, enter the identity source ID appended with "_identifier". For example, if the identity source ID is 02b392ce3a23, enter 02b392ce3a23_identifier.
7. For Google field type, select String and ensure that the field has only one value.
8. Click OK.

For more information, go to Create an identity source.

Step 4: Schedule your sync

1. Open Configuration Manager.
2. In the left panel, click Sync.

You can simulate a sync or save your settings. Learn how to automate your synchronization process.

Encoding binary attributes

If you use a binary attribute (such as objectSid or objectGUID) as the group name or user email attribute, it's converted to a string using an encoding scheme. The supported encoding schemes are:

• Base 16 (Hexadecimal)
• Base 32
• Base 32 Hex
• Base 64
• Base 64 URL

If you want to change the encoding scheme, manually update the configuration file:

1. Open the configuration file and under the <identityMappedGroupBasicConfig> tag, find <binaryAttributesEncoding>.

2. If <binaryAttributesEncoding> isn't there, you're using the legacy base 64 encoding scheme. Under <identityMappedGroupBasicConfig>, add <binaryAttributesEncoding>.

3. Update <binaryAttributesEncoding> with one of the following options:

   • BASE16
   • BASE32_NOPADDING
   • BASE32_HEX_NOPADDING
   • BASE64_URL_NOPADDING

Example:

<identityMappedGroupBasicConfig>

    <identitySourceId>identitysources/...</identitySourceId>

    <serviceAccountFilePath>....</serviceAccountFilePath>

    <binaryAttributesEncoding>BASE16</binaryAttributesEncoding>

</identityMappedGroupBasicConfig>