Google uses the special group classroom_teachers@gappsdomain.com to indicate which users are verified teachers who can use classroom. If you sync this group using google apps directory sync, you'll be able to automatically keep the group up to date with teachers in your organization.
There's a few different ways to sync the group, depending on your active directory setup, here's some examples
Scenario 1
Probably the easiest situation. You might already be syncing this group to google apps as a different name like all-teachers@gappsdomain.com, if that's the case, no problem! Just tuck the email address classroom_teachers@gappsdomain.com into another LDAP attribute on that group and then add another sync rule to sync that group again, just using that attribute as the group email address.
Scope: Object - We just want to sync this one group
Rule: (objectClass=group) - We just want group objects
Base DN: The distinguished name of the group we're syncing, something like CN=all-teachers, OU=groups, DC=gappsdomain, DC=com
Group Email Address Attribute: The attribute on the group that contains classroom_teachers@gappsdomain.com
User Email Address Attribute: The attribute on your USERS that contains their google apps username
Member Reference Attribute: member
Scenario 2
Here's where we get a bit creative, since syncing nested groups won't work with the classroom_teachers group. It has to contain a list of the individual accounts. If you've read this other blog post, then you know exactly where we're headed with this.
Similar to the previous scenario, if you're already syncing this group, you're going to need to tuck the string classroom_teachers@gappsdomain.com into an LDAP variable other than mail on the group. Although for simplicity's sake you might just want to create a new group that contains your all-teachers group. This has the added benefit of letting you be able to add non-teachers (admin positions, etc) to the group to allow classroom access. You'll also need to put an LDAP search string into another property of the group. To make the correct search string, get the DN of your group that contains all your other groups. Let's say that a group all-teachers contains groups for all-schoolA-teachers, all-schoolB-teachers, etc. Let's also say that the DN of group all-teachers is CN=all-teachers, OU=groups, DC=gappsdomain, DC=com
This search string will look like the following:
(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=all-teachers,OU=Groups,DC=gappsdomain,DC=com))
Let's say that we put that long string into the "extensionAttribute2" LDAP attribute for that group, and the classroom_teachers@gappsdomain.com value into the "extensionAttribute1" LDAP attribute. Our GADS settings should look like the following:
Scope: Object - We just want to sync this one group
Rule: (objectClass=group) - We just want group objects
Base DN: The distinguished name of the group we're syncing, something like CN=all-teachers, OU=groups, DC=gappsdomain, DC=com
Group Email Address Attribute: extensionAttribute1 - The attribute on the group that contains classroom_teachers@gappsdomain.com
User Email Address Attribute: The attribute on your USERS that contains their google apps username
Dynamic (Query-based) group?: Checked ON, this tells GADS to use the following attribute to search for the members
Dynamic (Query-based) group?: Checked ON, this tells GADS to use the following attribute to search for the members
Member Reference Attribute: extensionAttribute2 (or whichever LDAP attribute you stored the search string)
No comments:
Post a Comment