Showing posts with label google apps. Show all posts
Showing posts with label google apps. Show all posts

Tuesday, September 29, 2015

Automatically Syncing Verified Google Classroom Teachers

At a recent google technical cooperative meetup I attended, one of the comments there was that it'd be nice to be able to add users as verified google classroom teachers automatically as an OU setting in google apps. While a setting like that would be handy, if you're syncing your active directory to google apps using google apps directory sync, there's actually a way to accomplish it. For the rest of this post, substitute gappsdomain.com for your actual google apps domain name

Google uses the special group classroom_teachers@gappsdomain.com to indicate which users are verified teachers who can use classroom. If you sync this group using google apps directory sync, you'll be able to automatically keep the group up to date with teachers in your organization.

There's a few different ways to sync the group, depending on your active directory setup, here's some examples

Scenario 1


"I have a security group in AD that contains all my individual teachers (not nested groups!)"

Probably the easiest situation. You might already be syncing this group to google apps as a different name like all-teachers@gappsdomain.com, if that's the case, no problem! Just tuck the email address classroom_teachers@gappsdomain.com into another LDAP attribute on that group and then add another sync rule to sync that group again, just using that attribute as the group email address.


Scope: Object - We just want to sync this one group
Rule: (objectClass=group) - We just want group objects
Base DN: The distinguished name of the group we're syncing, something like CN=all-teachers, OU=groups, DC=gappsdomain, DC=com
Group Email Address Attribute: The attribute on the group that contains classroom_teachers@gappsdomain.com
User Email Address Attribute: The attribute on your USERS that contains their google apps username
Member Reference Attribute: member

Scenario 2


"I have a security group in AD that contains other groups that contain all my teachers"

Here's where we get a bit creative, since syncing nested groups won't work with the classroom_teachers group. It has to contain a list of the individual accounts. If you've read this other blog post, then you know exactly where we're headed with this.

Similar to the previous scenario, if you're already syncing this group, you're going to need to tuck the string classroom_teachers@gappsdomain.com into an LDAP variable other than mail on the group. Although for simplicity's sake you might just want to create a new group that contains your all-teachers group. This has the added benefit of letting you be able to add non-teachers (admin positions, etc) to the group to allow classroom access. You'll also need to put an LDAP search string into another property of the group. To make the correct search string, get the DN of your group that contains all your other groups. Let's say that a group all-teachers contains groups for all-schoolA-teachers, all-schoolB-teachers, etc. Let's also say that the DN of group all-teachers is CN=all-teachers, OU=groups, DC=gappsdomain, DC=com

This search string will look like the following:

 (&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=all-teachers,OU=Groups,DC=gappsdomain,DC=com))

Let's say that we put that long string into the "extensionAttribute2" LDAP attribute for that group, and the classroom_teachers@gappsdomain.com value into the "extensionAttribute1" LDAP attribute. Our GADS settings should look like the following:


Scope: Object - We just want to sync this one group
Rule: (objectClass=group) - We just want group objects
Base DN: The distinguished name of the group we're syncing, something like CN=all-teachers, OU=groups, DC=gappsdomain, DC=com
Group Email Address Attribute: extensionAttribute1 - The attribute on the group that contains classroom_teachers@gappsdomain.com
User Email Address Attribute: The attribute on your USERS that contains their google apps username
Dynamic (Query-based) group?: Checked ON, this tells GADS to use the following attribute to search for the members
Member Reference Attribute: extensionAttribute2 (or whichever LDAP attribute you stored the search string)
Posted by at No comments:
Labels: ,

Thursday, September 25, 2014

Syncing Nested Groups to Google Apps using GADS

We use GADS (Google Apps Directory Sync) to sync our Active Directory structure with our Google apps setup. We wanted to start syncing groups, however the users we wanted to be part of the group were nested within other groups. One way we could resolve this would be to sync all the intermediary groups, but in our case that would create a lot of groups that we really wouldn't need. The solution we came up with has two parts:

1) In Active Directory create a special LDAP filter and assign it to one of the group's extensionAttribute values

2) In GADS sync the group as a Dynamic group, using the extensionAttribute to perform the query to find the users

Lets say we have a security group group called cool-users. cool-users doesn't have any users, but the security groups rad-dudes and awesome-guys are members of it and THOSE groups have users. We want to sync this to Google Apps as cool-users@contoso.com but we don't want to create groups for rad-dudes and awesome-guys and just want all the users to be a part of cool-users@contoso.com.

For step one, the query we needed to craft was as follows:

 (&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=cool-users,OU=Groups,DC=contoso,DC=com))

For those not super familiar with LDAP search syntax this is a query that looks for an object that is a user and is a member of the group identified by the distinguished name CN=cool-users,OU=Groups,DC=contoso,DC=com The weird looking bit (memberOf:1.2.840.113556.1.4.1941) is the magical part that does it's own search to find the all members of the group (including nested ones). For further reading check out http://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx and look for LDAP_MATCHING_RULE_IN_CHAIN.

With our rule made we now need to assign it to the group, which we COULD do a number of different ways (such as editing the object directly with object editor), but we have a few objects we want to sync like this, so we opted to do it programmatically via powershell using the following script:

 Get-ADGroup -LDAPFilter "(&(objectClass=group)(cn=*-users))" -SearchBase "OU=Groups,DC=contoso,DC=com" |  
 ForEach-Object {  
   $EXT1 = "(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=" + $_.name + ",OU=Groups,DC=contoso,DC=com))"  
   Set-ADGroup $_ -Replace @{extensionAttribute1=$EXT1}  
 }
What this does is grab any groups that end in -users in the OU=Groups,DC=contoso,DC=com OU and sets extensionAttribute1 to the proper search string. It might not be a bad idea to run this as a scheduled powershell task every so often so that new groups and any renamed groups get the correct search string.

Now that our groups are set properly, we can configure GADS to use them. Open GADS, head for the groups tab and add a search rule that looks like the following:

We're going to find any groups that match *-users in our Groups OU and sync them to Google Apps, but we're going to make them Dynamic and use extensionAttribute1 as the object property that contains the search that has all of our users. Run a test of your sync and voila! You should have the groups syncing all the users that belong to it!

One word of caution would be that using LDAP_MATCHING_RULE_IN_CHAIN to search in this manner can be computationally expensive, so it's possible that your sync could take noticeably longer to run. It's best to make use of filters and only use this method on necessary groups. I hope you find this useful!
Posted by at 4 comments:
Labels: ,
Subscribe to: Posts (Atom)