Duo OpenLDAP Directory Sync and Google Workspace (GSuite) LDAP

This is just a heads up to anyone out there trying to do a directory sync with Google Workspace Secure LDAP…

Related post: Google LDAP tips?

We couldn’t get Duo talking directly to Google so we used an stunnel proxy to connect. However, now that we’re connected we can’t seem to pull users from groups.

Re-reading the Duo docs (Knowledge Base | Duo Security) reminded us of this:

Synced groups must also have the attributes entrydn (used as the distinguished name) and entryuuid (the group unique identifier).

So after some back and forth with Google they confirmed that their LDAP schema doesn’t have entrydn. After that was confirmed we gave up.

Our solution now is to use Duo’s APIs and have a script sync the users from Google.

OK, so what does Google use for the distinguished name if not entrydn?

It looks like they use cn. Secure LDAP schema - Google Workspace Admin Help

I’d think uid fits the bill better. With that in mind, wouldn’t Duo then work for Google Workspace Secure LDAP if uid was used?

Today you can’t select which LDAP attributes are used by the Duo AD/OpenLDAP sync ldapsearch requests to locate users and groups. You can only customize the source attributes for imported user information. There is a feature request for updating those search filters, or to make them customizable. Please contact your Duo account or customer success manager, or Duo support, to be associated with the feature request.