Duo OpenLDAP Directory Sync and Google Workspace (GSuite) LDAP

KevinSiddique · ‎02-26-2021

This is just a heads up to anyone out there trying to do a directory sync with Google Workspace Secure LDAP…

We couldn’t get Duo talking directly to Google so we used an stunnel proxy to connect. However, now that we’re connected we can’t seem to pull users from groups.

Re-reading the Duo docs (Knowledge Base | Duo Security) reminded us of this:

Synced groups must also have the attributes entrydn (used as the distinguished name) and entryuuid (the group unique identifier).

So after some back and forth with Google they confirmed that their LDAP schema doesn’t have entrydn. After that was confirmed we gave up.

Our solution now is to use Duo’s APIs and have a script sync the users from Google.

BabbittJE · ‎03-03-2021

OK, so what does Google use for the distinguished name if not entrydn?

KevinSiddique · ‎03-08-2021

It looks like they use cn. Secure LDAP schema - Google Workspace Admin Help

BabbittJE · ‎03-08-2021

I’d think uid fits the bill better. With that in mind, wouldn’t Duo then work for Google Workspace Secure LDAP if uid was used?

DuoKristina · ‎03-16-2021

Today you can’t select which LDAP attributes are used by the Duo AD/OpenLDAP sync ldapsearch requests to locate users and groups. You can only customize the source attributes for imported user information. There is a feature request for updating those search filters, or to make them customizable. Please contact your Duo account or customer success manager, or Duo support, to be associated with the feature request.

Duo, not DUO.

Eugene_Vinar · ‎12-01-2021

Curious to see if this has been addressed.
If not, is it in the pipeline?
If it is in the pipeline, when is it expected?
If it is not in the pipeline, how do we get it into the pipeline?

Alan B · ‎01-05-2024

This thread has no updates in 2 years. Is there any new developments on this? Has anyone written some code to accomplish the Google-to-Duo sync?