Skip to main content

Tutorial: Configure Google Secure LDAP with Access Server

Abstract

Learn how to configure Google Secure LDAP with Access Server.

Overview

The following are important to understand to integrate Access Server with Google LDAP.

  • Unlike most LDAP integrations, Google LDAP requires an SSL certificate rather than creating a Bind user, making the integration slightly more complex.

  • You will need to be familiar with the sacli tool for advanced configuration of Access Server.

Prerequisites

Step 1: Create an LDAP client in Google Workspace

  1. Sign in to the Google Admin console.

  2. Click Apps > LDAP. Or select Apps from the hamburger menu and choose LDAP.

  3. From the LDAP app, click Add Client.

  4. Name your client, enter an optional description, and click Continue.

  5. Configure access permissions.

    Tip

    Configuring these permissions pertains to your network setup. A few tips on that:

    • For “Verify user credentials”, choose “Entire domain” unless you are using organizational units for more granularity (e.g., marketing, sales, etc).

    • For “Read user information”, make sure to choose “Entire domain”.

    • For “Read group information”, turn this on if you will be mapping to groups using the MEMBER_OF in your LDAP query; otherwise, leave off.

  6. Once you've chosen permissions, click ADD LDAP CLIENT.

Step 2: Start Google LDAP client

Your LDAP client starts in an OFF status and needs to be turned on.

  1. From the Client Details page, change Service status to ON.

  2. Click Edit details.

  3. Choose the radio button for ON for everyone.

  4. Click SAVE.

Step 3: Add certificate and key to Access Server

Now that you’ve started your new client, you need to add the certificate and key to your Access Server:

  1. You can download the generated certificate (from the link on the confirmation page or the client’s details page). The certificate and key are in a ZIP file.

  2. We suggest renaming these files and will refer to them as gldap.crt and gldap.key.

  3. Upload your certificate to your Access Server in this directory: /etc/ssl/certs/.

  4. Upload your key to your Access Server in this directory: /etc/ssl/private/.

  5. Next, you need to ensure that Access Server has rights to read this file by executing these commands:

    chown openvpn_as:openvpn_as /etc/ssl/certs/gldap.crt
chown openvpn_as:openvpn_as /etc/ssl/private/gldap.key
chmod 644 /etc/ssl/certs/gldap.crt
chmod 640 /etc/ssl/private/gldap.key

Step 4: Configure LDAP with Access Server

Configure the Google LDAP integration with Access Server using the sacli tool.

  1. Connect to your Access Server's console with root privileges.

  2. Enter the following commands from the /usr/local/openvpn_as/scripts/ directory:

    ./sacli --key "auth.ldap.0.name" --value "Google Secure LDAP" ConfigPut
./sacli --key "auth.ldap.0.server.0.host" --value "ldap.google.com:636" ConfigPut
./sacli --key "auth.ldap.0.use_ssl" --value "always" ConfigPut
./sacli --key "auth.ldap.0.ssl_verify" --value "internal" ConfigPut
./sacli --key "auth.ldap.0.ssl_auth_cert" --value "/etc/ssl/certs/gldap.crt" ConfigPut
./sacli --key "auth.ldap.0.ssl_auth_key" --value "/etc/ssl/private/gldap.key" ConfigPut
./sacli --key "auth.ldap.0.min_ssl" --value "tls1_2" ConfigPut
./sacli --key "auth.ldap.0.sasl_external" --value "true" ConfigPut
./sacli --key "auth.ldap.0.uname_attr" --value "uid" ConfigPut
./sacli --key "auth.ldap.0.users_base_dn" --value "OU=Users, DC=example, DC=com" ConfigPut1
./sacli --key "auth.module.type" --value "ldap" ConfigPut
./sacli start

    1

    Replace DC=example, DC=com with your Google LDAP domain name.

    • If the configuration is successful, the server will return “WILL_RESTART [‘client’]” as part of the return message. This indicates the server is now configured and ready to accept LDAP-authenticated connections.

    • If you receive an ERRBACK message, please ensure you are using the latest version of Access Server and try again. Here is information on how to update your version.

Important

This configuration uses the principal username for LDAP configuration, not the user’s email address. If a user’s email address was [email protected], the user would sign in as “mike” instead of “[email protected]”. As such, ensure you configure User and Group permissions within the Admin Web UI using the principle username only (i.e.: “mike” instead of “[email protected]”).

Step 5: Review and Configure the Admin Web UI

  1. Sign in to the Admin Web UI.

  2. Note on the Status Overview that Authenticate users with now states ldap.

  3. Click User Management > User Permissions to add users. You can also create groups through your Google Workspace account and align those with Group Permissions at that access control level.

In this section: