Populate Simple AD from LDAP

Question

Main main goal is to connect surveillance software with my Google Workspace users. The software only accepts Active Directory for 3rd party integrations. I it was not able to sync to the Google LDAP directory directly. However I was able to connect the surveillance software to AWS Simple AD.

Is it possible to sync Google LDAP into Simple AD or some other AWS service that can provide Active Directory with NetBios support?

Not familiar with AWS services and connectors that could help, maybe Simple AD isn't correct.

Edit 1: Software is HikCentral Access Control V2.2.0. When I press fetch DN I get the following error. I do have the certs imported on the system, I was able to SSL connect with third party AD software browsers with no issues.

Failed to connect to the domain server

Edit 2: I created a stunnel and now I am able to get the following error. The username and password I know work from third party AD browsers working. That leaves the domain name format isn't correct for NetBIOS.

Domain name, user name, or password do not match. Please check.{Error code: SYS[1031]}

Answer 1

There might be a better way than syncing, but it's hard to tell without knowing about your surveillance software configuration.

LDAP is a protocol that allows you query a tree where objects (users in your case) are stored. They structure in which they are stored is called a schema.

Active Directory schema is documented, but the tl;dr; is that your users are likely under OU=Users,DC=example,DC=com if your domaine is example.com.

Google offers a Secure LDAP service as an interface to the account it manages. It has its own schema.

Several (not all, unfortunately) server side software that support LDAP allow you to configure the LDAP query they will use to:

• Authenticate users
• Lookup group membership to perform authorization
• Retreive user attributes like display name, email, phone and others

So you need to look at your product documentation and find how to configure all or some of the following :

1. hostname (your Google Secure LDAP service)
2. Username attribute: what attribute (in a user object) maps to what the user enters when they log in?
   • It is sAMAccountName in Active Directory
   • It is uid in Google Secure LDAP service
3. User base DN : a point in the tree under which all your users reside
   • Similar to OU=Users,DC=example,DC=com in both Active Directory and Google Secure LDAP service
4. User search filter : a query that should return a single user. You will have to use a placeholder for the username, say ${USERNAME}
   • Likely (sAMAccountName=${USERNAME}) in Active Directory
   • Try (uid=${USERNAME}) in Google Secure LDAP service
5. Group base DN : a point in the tree under which all your groups reside
   • Similar to OU=Groups,DC=example,DC=com in both Active Directory and Google Secure LDAP service

Groups lookup vary a little more from one product to another. You might have to provide the object class (groupOfNames), membership attribute (member) and/or a search filter ((cn=${GROUPNAME})).

That might look like a lot of work, but a LDAP sync solution will require the same information anyway, so might as well try the live query route.

You can use a client like Apache Directory Studio to browse your Google Workspace users.