LDAP (Lightweight Directory Access Protocol) stores information for users and groups in a centralized server. Using the built-in LDAP server of QNAP NAS, administrators can manage users in the LDAP directory and allow users to connect to multiple QNAP NAS with the same username and password. QNAP NAS now also supports synchronizing data from the NAS LDAP server to Google Apps Directory Sync (GADS), which simplifies adding, deleting and editing user accounts by using centralized Google apps on the cloud instead of managing accounts on different NAS. This also provides greater convenience as NAS administrators and users only have to use one set of login credentials for multiple QNAP NAS and Google apps.
This application note shows how to synchronize LDAP user and group data from your NAS LDAP Server to GADS. While GADS supports many options (including calendar resources, organization units, user accounts, and user profiles), QNAP NAS currently only synchronizes “user accounts” and “groups” with GADS. This application note will focus on these two options.
- Enable LDAP Server in your QNAP QTS NAS. See the following link for more information:
- Create users and groups in the NAS LDAP server.
- A Google Apps account is required. See the following link for more information: http://www.google.com/intl/en/enterprise/apps/business/
- Install Google Apps Directory Sync on your preferred device. See the following link for more information: http://support.google.com/a/bin/answer.py?hl=en&answer=106368
Enable Google Apps API access:
You must log in to the Google Apps admin console and enable API access to use GADS:
- Log into your Google Apps admin account at http://www.google.com/enterprise/apps/business/
- Go to the Security settings page. In the API reference section, check "Enable API access", and then click "Save Changes".
Set up Google Cloud Directory Sync:
After Google Apps API access is enabled, you can start the GADS application and set up the Configuration Manager with the following steps:
Check the following link for more information in configuring GADS: https://support.google.com/a/topic/2679497?hl=en&ref_topic=4511280
- Launch Google Cloud Directory Sync
- Go to the General Settings tab and ensure that only User Accounts and Groups are checked.
- Go to the Google Domain Configuration tab. Enter the Primary Domain Name where the data of the Google Apps account domain will be synchronized.
- Check “Replace domain names in LDAP email addresses (of users and groups) with this domain name. This will change all LDAP account usernames to match the Primary Domain Name (with the following pattern: [Username]@[Google_Apps_Primary_Domain_Name]). For example, if the original username of a Directory Server user is user01@qnap, and the domain name of Google Apps is myqnapcloud.com, the user's Google Apps account will be changed to user01@ myqnapcloud.com. If you decide not to enable this option, the domain names of the LDAP email addresses will remain unchanged.
- Click "Authorize Now".
- The apps will ask you to enter the admin account and password to sign in.
- Go to the LDAP Configuration tab, then Connection Settings to configure the connection settings with the QNAP NAS.
Server Type: Select "OpenLDAP".
Connection Type: Select "Standard LDAP".
Host Name: Key in the IP address of your QNAP NAS.
Port: The default setting is 389.
Authentication Type: The NAS LDAP Server uses a "Simple" authentication type.
Authorized User: Refer to your NAS settings to enter the user details for who will access the server (for example: "cn=admin,dc=mydomain,dc=com").
Password: Enter the admin account's password.
Base DN: The LDAP domain (for example: "dc=mydomain,dc=com").
Click "Test connection" to confirm your settings are correct.
- Go to the User Accounts tab for GADS to create a LDAP user list:
See the following link for naming rules in creating group names, user names and passwords: https://support.google.com/a/answer/33386
8.1 In User Attributes: Enter the GADS attributes.
Email Address Attribute: Accounts for the usernames of Google Apps accounts. Using "mail" is recommended.
Unique identifier Attribute: An LDAP attribute that consists of an exclusive identifier for every user on your QNAP NAS Directory Server. This attribute allows GADS to notice if users are renamed on the NAS Directory Server and start syncing the changes to Google Apps. Using "uidNumber" is recommended.
Alias Address Attributes: Optional. See the following link for more information: https://support.google.com/a/topic/2679497?hl=en&ref_topic=4511280
Google Apps User Deletion / Suspension Policy: The policy for deleting or suspending users that are found in Google Apps but not on your QNAP Directory Server. See the following link for more information: https://support.google.com/a/topic/2679497?hl=en&ref_topic=4511280. Please note that you are required to get licenses for the number of users you can maintain. See the following link for more information: http://support.google.com/a/bin/answer.py?hl=en&answer=33387&topic=14586&ctx=topic
8.2 Additional User Attributes: This tab allows more optional LDAP attributes to be implemented to Google Apps user accounts:
Given Name Attributes(s) and Family Name Attribute(s): Optional. Using "uid" or a blank entry is recommended.
Synchronize Passwords: It is recommend to use Only for new users.
Force new users to change password: New users must change their passwords.
Default password for new users: Set up pre-defined initial passwords for new users. When new users log in for the first time, they must change their password.
8.3 Search Rules: This tab manages a set of rules for creating the LDAP user list. Users that meet the search rules will be included into the Google Apps user list, while users that do not meet the search rules will be excluded.
Click "Add Search Rule". A new window will appear.
In the "Rule" section of the window, enter "objectClass=inetOrgPerson" to get all LDAP users from the Directory Server and click "OK".
The newly-added rule will now be seen in the Search Rules.
8.4 Exclusion Rules: Use these rules to exclude users on the QNAP Directory Server that meet the search rules. See the following link for more information: https://support.google.com/a/topic/2679497?hl=en&ref_topic=4511280
- Groups: Configure synchronization for Google Groups for Enterprise. Similar to LDAP mailing lists, users can send multiple emails with only one email address to several recipients in the group. The Group tab allows setting up GADS to create a list of groups from the LDAP directory server. Refer to the setup information of the LDAP directory server to configure the options in this tab.
9.1 Search Rules: The QNAP Directory Server’s mailing list can be synchronized with Google Group. Rules can be set on this page for forming the LDAP group list.
Click "Add Search Rule" to add rules for group search.
In the new window, enter the following information in the LDAP tab:
Scope: Select the level to apply the mailing list rule, either Sub-tree or one-level.
Rule: Specify the rule of the LDAP query for Group Sync to apply. For example, use "objectClass=posixGroup" to ask the Directory Server for all LDAP users.
Base DN: Optional. See the following link for more information: https://support.google.com/a/topic/2679497?hl=en&ref_topic=4511280
Group Email Address Attribute: Specify an LDAP attribute that consists of the email address of the group, which will turn out to be the group email address in Google Apps. Use "cn".
Group Display Name Attribute: Enter an LDAP attribute for the group display name. This will be displayed to represent the group. Using a valid email address is not required. For example, use "displayName".
Group Description Attribute: Optional. Enter an LDAP attribute for the group description. This will be used as the group description in Google Apps. For example, use "description".
User Email Address Attribute: Enter an LDAP attribute that consists of user email addresses. This will be used to obtain the email addresses of group members. For example, use "uid".
Member Literal Attribute: Enter "memberUid". See the following link for more information: https://support.google.com/a/topic/2679497?hl=en&ref_topic=4511280.
Dynamic group Base DN attribute and Owners: Optional. See the following link for more information: https://support.google.com/a/topic/2679497?hl=en&ref_topic=4511280.
Click "OK" when finished.
9.2 Exclusion Rules: Specify rules to exclude email lists in your directory server that although meet the mailing list rules. See the following link for more information: https://support.google.com/a/topic/2679497?hl=en&ref_topic=4511280.
As User Profiles, Shared Contacts, and Calendar Resources are not supported by QNAP NAS they should be ignored.
- Notifications: Set up GADS to notify users when synchronization occurs.
SMTP Relay Host: Select a SMTP email server for send notifications. Use "aspmx.l.google.com".
From address: The sender address to appear in the notification emails.
To addresses (recipients): Enter the email addresses for recipients of notification emails in the blank field and click "Add".
Test Notification: Check that your notification settings are correct by sending test emails.
- Logging: File names of the log files, the path for storing files and other information can be set here.
- Sync: Run a simulated synchronization test before any real change is made. A Validation Result will appear and will alert you with missing information or errors. If no errors appear then click "Sync & apply".
- When synchronization is complete, synchronized users and groups can be checked via the control panel of the Configuration Manager: