Skip to main content
Skip table of contents

Synchronize Users from Google Workspace

MyQ integrates with Google Workspace using the Secure LDAP service, which provides read-only access to your Google directory. This integration allows MyQ to query users and groups stored in Google Workspace for authentication and synchronization purposes.

Process Overview

  1. In Google Admin console, enable Secure LDAP, define MyQ as an LDAP client and configure its access permissions and credentials. For details, continue on this page.

  2. In MyQ, add Google Workspace as an LDAP authentication server.

  3. In MyQ, add your LDAP authentication server as a synchronization source, specify the Base DN for your users and groups, and synchronize users.

  4. Finally, enable a scheduled task to periodically synchronize from your directory, keeping your users and groups up to date in MyQ.

Prerequisites

Before you begin, ensure that:

  • You have Super Admin privileges in Google Workspace.

  • Your Google Workspace subscription supports LDAP.

  • MyQ Server can establish outbound LDAPS (TCP 636) connections to Google.

  • You know which users or groups MyQ should be allowed to access.

  • Review Manage LDAP Clients - Google Workspace Admin Help.

Create and Configure the MyQ LDAP Client

To connect MyQ to Google Workspace LDAP, you need a client certificate, private key, and LDAP credentials. The client certificate and private key are necessary for TLS authentication, and the LDAP credentials are required for directory binding. Each LDAP client requires its own credentials.

  1. Log in to the Google Admin console

  2. Go to Apps > LDAP and click Add Client.

  3. Give the client a name (required) and description (optional).

  4. From the LDAP client page, click Access Permissions and set the following access permissions for the client:

    • Verify user credentials
      Enables user authentication via MyQ. Set this option for all users or for specified organizational units.

    • Read user information
      Enables MyQ to read user information. Set this option for all users or for specified organizational units. Then enable access to the following attributes:

      • System Attributes

      • Public Custom Attributes

      • Private Custom Attributes

    • Read group information
      Allows MyQ to view directory group information. Set this option to On.

  5. Click Add LDAP Client, and wait while your LDAP client is onboarded and a certificate is generated. This can take a few minutes.

  6. Download the generated certificate. The certificate downloads ZIP package that contains the files below. You later upload these files to MyQ.

    • the client certificate (.crt or .pem)

    • the private key (.key)

  7. Click Continue to Client Details. The LDAP client details page opens.

  8. Click Access Credentials, and then select Generate New Credentials. Securely store the generated username and password. Later you will enter these credentials in MyQ.

  9. Return to the LDAP client details page and change the Service Status to ON for everyone, and click Save.

Google Workspace is now configured with MyQ as an LDAP client.

Certificate format
MyQ requires the client certificate in PEM format (Base64-encoded, with BEGIN CERTIFICATE headers). If the downloaded certificate is provided in a binary (DER) format, before you upload the certificate, convert it to PEM, for example using OpenSSL.

Important

  • Generate a separate certificate for each MyQ Server instance.

  • The password is displayed only once and cannot be downloaded again.

  • Certificates expire and must be renewed before expiry.

  • Do not protect the private key with a password.

  • Changes to LDAP client access permissions can take up to 24 hours to take effect.

More Information

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close