What's new in Google Cloud Directory Sync
These release notes describe additions and improvements to the most recent versions of Google Cloud Directory Sync (GCDS). Download the latest version of GCDS from the download page.
GCDS used to be known as Google Apps Directory Sync (GADS).
Important update
With Google Cloud Directory Sync 4.4.0, the product name and installation directory have been updated. If you have created tasks or cron jobs that run the tool on a schedule, you need to update these to point to the new installation directory.
Release 4.4.22
December 1, 2016 What's FixedFixed an issue where GCDS would constantly rename the primary address on an account when it encountered a conflict. The conflict occurred between an alias on an existing Google account and a new user in Active Directory that was created using the email address already assigned as an alias to a Google user.
Note: If you are impacted by this issue we recommend you first correct the conflicting email alias by removing it from the Google account. Delete the existing nonAddressPrimaryKeyFile.tsv file from the GCDS user’s home folder (%userprofile% on Windows and ~/ on Linux). Install the latest GCDS update. The nonAddressPrimaryKeyFile.tsv will be regenerated on the next user sync.
Fixed an issue where a value was not removed from Google Custom Schema when the value was cleared from Active Directory.
Release 4.4.21
October 26, 2016 What's FixedFixed an issue where GCDS required a value be set for username and password for the SMTP configuration.
Fixed an issue where Custom User Fields were not being updated due to an issue with the GCDS cache and compare operation.
Note: We recommend that you first flush the cache, if you are syncing Custom User Fields. To flush the cache, use command option -f or select the UI option.
Release 4.4.19
October 18, 2016 What's NewGoogle Apps Directory Sync now Google Cloud Directory Sync
Google Apps Directory Sync has a new name, Google Cloud Directory Sync (GCDS). We have renamed the product because it's more than a Google Apps-specific tool. If you use G Suite or other features that use managed Google domains, you can use Google Cloud Directory Sync to provision users and groups, as well as other information like profile data for users.
Only supported features now show on interface
Google Cloud Directory Sync interface now only shows sync features supported by your domain type. For example, a managed Google domain used only for Android doesn't support Shared Contacts, so this sync feature isn't displayed.
Java update
Google Cloud Directory Sync now uses the latest Java JRE 1.8, which by default uses TLS v1.2 for HTTPS connections.
EULA update
Google Cloud Directory Sync EULA now includes customers who may use a domain covered by the Managed Google Domain Terms.
Fixed issue where Google Cloud Directory Sync would display a “Connection failed - null” message if there was a connection error when testing SMTP notifications. The tool now displays a proper error message.
Fixed issue where random passwords for accounts were being synchronized on the first sync as well as subsequent syncs. Passwords are now set on the first sync only.
Fixed issue in introduced in version 4.3.2 where users weren't being provisioned with the defined default password.
Updated the UI to allow the reauthorization of GCDS using a different user account even if GCDS has a valid auth token.
Fixed issue where a user-created group that is later configured to be synchronized by GCDS wasn't removing user members after being managed by GCDS.
Admins are now allowed to perform a sync in the UI even if the admin hasn't configured email notification settings.
Fixed installer to display plain text EULA vs raw HTML EULA when installing from the command line.
Fixed issue where Force new users to change password was not properly set on account creation.
Fixed issue where group memberships may not be added on initial sync with group creation.
Release 4.3.2
July 6, 2016 What's NewNew custom schemas synchronization feature enables administrators to sync additional LDAP attributes to user accounts.
Custom schemas allow administrators to define LDAP user attributes that are to be synced to user accounts in the domain. The custom schema data can be used by features like Google SAML-based Federated SSO or other cloud applications that use the Directory API.
Improved trace level logging details for API errors.
Fixed an issue where group descriptions containing a new line in LDAP fails when being applied to the Google group.
Fixed an issue where user-created groups' permissions were being reset by GADS to the default group permissions settings.
Fixed an issue where the City field was not synced properly and didn't display correctly in the contacts interface.
Release 4.2.1
March 29, 2016 What's FixedFixed an issue where GADS wasn't updating the a user’s primary organization value, when the primary organization previously existed but didn't originate from GADS.
Fixed an issue where GADS wasn't saving the custom email address attribute defined in the license sync configuration.
Release 4.2.0
February 23, 2016 What's NewAPI update
GADS now uses the latest version of the Admin SDK Calendar Resource API.
Replace primary domain name with secondary domain name
Added new feature to enable administrators to replace the primary Google Apps domain name with a secondary domain name for all GADS operations.
Fixed an issue where the default permission for groups created by GADS allowed anyone/public to be able to send mail the group. The default permission for new groups is now restricted to the members of the domain: ALL_IN_DOMAIN_CAN_POST -- Anyone in the account can post a message.
Groups are created with the following default permissions:
- Who can view: All members of the group
- Listing: Do not list this group.
- Who can view members: Only managers and owners can view the group members list.
- Who can join: Anyone in the organization can ask to join.
- Allow External Members: Disallowed.
- Who can post messages: Anyone from your domain can post.
- Allow posting from the web: Allowed.
- Who can invite new members: Managers and owners only
- Message moderation: No moderation.
- Message archival: Archive is disabled.
- Allow External Email: Disallowed.
Fixed an issue where GADS wouldn't obey exclusion rules in the same way for users as for user profiles, resulting in unnecessary log entries when an exclusion rule was designed to exclude user profiles. Exclusion rules are now applied once for both user and user profiles.
Fixed an issue where GADS synchronization could take hours for large domains.
Fixed an issue where proxy settings weren't being respected when validating a GADS configuration’s existing authorization state. The GADS Configuration Manager would always show Not Authorized. Proxy settings are now used when validating GADS's configuration and authorization.
Fixed an issue where GADS was case insensitive for given names and family names. GADS now properly detects case sensitivity changes for given name and family name values
Fixed an issue where, in some cases, GADS failed to update any user profile data due to an error handling specific changes to the organization value. GADS now properly handles updates or deletions of organization information on user profiles.
Fixed an issue where exclusion rules weren't followed when users were moved out of the LDAP search rule scope. GADS now flushes the cached data when exclusion rules have been added or modified to ensure a fresh cache is built before determining changes.
Fixed an issue where GADS was processing group deletes in Google Apps even when the optional SKIP_GROUP_DELETES setting was configured in the GADS XML configuration. GADS no longer processes group deletes when the optional value SKIP_GROUP_DELETES is defined in the XML configuration.
Fixed an issue where, in certain cases, GADS would fail to properly handle group exclusion rules. GADS now processes group exclusion rules before processing the domain name change when Replace domain names in LDAP is enabled.
Fixed an issue where GADS would show an InvalidNameException error when attempting to normalize the Manager and Assistant Distinguished Name values if they contained commas. GADS now correctly detects commas and normalizes the Manager and Assistant Distinguished Name values correctly.
Release 4.1.0
What's NewNew license synchronization feature assigns specific licenses to Google Apps user accounts.
The license synchronization feature allows you to manage license assignments for your Google Apps user accounts. For example, you might have purchased different product SKUs for your domain (such as Google Apps for Work and Google Apps Unlimited) and you can use the license synchronization feature to apply the different types of licenses to your Google Apps user accounts.
Release 4.0.5
What's NewUpdated GADS Admin guide link and "Learn More" links
The GADS Admin guide content has moved to the Help Center (no longer a single PDF guide). All the help and "Learn More" links in the UI and error messages have been updated.
Improvements to user creation
Previously GADS user creation behavior would create users in the root organizational unit (OU) and then move the user account to the proper destination OU. GADS now creates user accounts in the proper destination OU at creation time.
Fixed an issue where GADS incorrectly retries to change groups again and again. In rare cases, GADS incorrectly performs a comparison of Google Apps data and LDAP data before all data is loaded, causing redundant changes to be suggested. This causes redundant requests to Google, trying to make changes that were already made before (for example, adding members to a group although they were already members). Now GADS now correctly handles these cases, and the comparison only starts after all data has been loaded.
Fixed an issue where GADS skips processing all groups whenever an exception occurred while processing any single group. When GADS failed to sync any single group it would stop processing the entire group sync process. GADS now properly continues to sync the next group in the list when the a single group fails due to an exception.
Release 4.0.3
What's FixedPreviously, GADS would load aliases separately to loading the users. Now GADS loads aliases as part of loading the users, greatly reducing the time required.
Fixed an issue where, in some cases, if a profile's manager was found in a different search rule to the profile itself, the migration would fail.
Fixed a mixed-case email address issue. Google Apps doesn't support mixed-case email addresses for users, but in some cases there are users that have uppercase letters in their email addresses. GADS now ignores the letter case in email addresses.
GADS will retry requests that failed due to API quota issues.
Release 4.0.2
What's FixedImproved error handling - GADS performs retries on more exceptions (500s and timeout exceptions).
Improved performance - GADS has improved its performance by fetching 500 entries per list call.
Google Apps org unit exclusion rules with exact matching now work, the slash prefix is no longer required in the Organizational unit complete path.
In the previous release, suspended group members were added in every sync and then GADS showed errors. Now the members are added to the group on every sync, but no error is shown when the member already exists.
Logging improvements - GADS now logs exception from the Configuration Manager before a sync is started. This allows easier troubleshooting of issues related to authorization.
Line wrapping and word wrapping is now working in Google Apps exclusion rules textbox.
Release 4.0.1
What's NewGADS now uses the Directory API instead of the deprecated Provisioning and Profiles Data APIs.
GADS now requires using OAuth for authorization. Using the admin credentials (also known as ClientLogin) is no longer supported, as it's been deprecated. Customers using client login must now authorize using OAuth. For more information see Prepare your Google Apps domain for synchronization.
Customers already using OAuth will also need to authorize again with existing (or new) credentials. This is because this version of GADS uses different APIs, and thus the scopes for which tokens are generated have also changed.
GADS now allows the exclusion of users based on Google Orgs without enabling org sync.
GADS now allows several profile and shared contact fields (Department, Job title, and Office Location) to be comprised of multiple concatenated LDAP fields.
GADS now shows shared contacts IDs and names during simulation, to make it easier to tell which contact is being deleted.
GADS now supports sending email notifications using SMTP over TLS. This means that smtp.gmail.com can now be used to send email notifications.
The 'Website' and 'Notes' fields are no longer supported in user profiles because they are not available using the Directory API.
Fixed an issue in which the shared contact manager attribute was not syncing. Syncing now works when the manager is a shared contact, however it will not work when the manager is a user.
Where a lot of user aliases need to be created, GADS uses exponential backoff when adding aliases to avoid failures due to API limits.
Fixed an issue where GADS failed to properly update user profile organization info created using third-party apps. With the fix, any type of organization other than 'work' created by another app will be deleted during the GADS sync, and the organization information present in the local LDAP directory will be synced. If the organization created by the other app is primary and of type 'work', then GADS will do an update of existing data (to match the data in the local LDAP directory).
Fixed an issue where trailing spaces in group display name caused the name to be updated on every sync.
Fixed issue where GADS failed to create org units containing spaces.
GADS is case-insensitive when checking for hash prefixes ({MD5}, {SHA1}, etc.).
Fixed an issue where the manager profile field returned different results based on profile search rule order.
GADS now saves calResMapping.csv
in user's homedir/profile folder.
Fixed issue where GADS unexpectedly removed members from groups while syncing.
Release 3.2.1
What's New"Group Name" Exclude Type option in Exclusion Rule Settings. Configures GADS to not sync any group that has a name that matches the rule.
"useDynamicMaxCacheLifetime" configuration file option. Configures GADS to cache Google Apps data for a maximum of eight days and resynchronize with Google Apps. If the size of the cached data is too small to impact synchronization speed, GADS clears the cache and resynchronizes with Google Apps even more frequently to decrease the risk of errors resulting from a stale cache. This option is enabled by default in GADS version 3.2.1 and higher.
Command line interface for OAuth part of config manager. A simple command line interface to enter OAuth, ClientLogin, and LDAP credentials, enabling admins to keep using GADS without GUI.
"Export Calendar Resource Mapping" option in Calendar Resource Attributes. Ability to generate a CSV file listing LDAP calendar resources and their Google Apps equivalents. Use the CSV file with Google Apps Migration for Microsoft Exchange to migrate the contents of your Microsoft Exchange calendar resources to the appropriate Google Apps calendar resources.
"Resource Type" option in Calendar Resource Attributes.Ability to synchronize custom resource types (like "Room", "Camera", "Bike", etc.) from your LDAP directory to Google Apps.
"Test LDAP Query" button on Add Search Rule screens. Ability to test LDAP queries in UI while specifying search rules.
Config file comments retained. You can now add comments to config files to clarify the XML as needed.
Configuration Manager Default Values for OpenLDAP. The Configuration Manager now contains default values for OpenLDAP server types.
More detailed messages and instructions for several issues, such as system time set incorrectly, API access disabled, memory issues, password hash mismatch, configuration file access, and sync limits.
Fixed an issue in which a space character at the end of a group's CN would cause a NameNotFoundException and stop the sync.
Fixed an issue in which some users' profiles couldn't be updated due to the wrong API URL being used.
The unique ID attribute was previously handled as a string and would not differentiate between users in some cases. It's now always treated as binary data.
Fixed an issue in which the wrong error message was shown or no error would be shown at all when syncing a group or an alias with the same email address as an existing Google Apps user. Now the correct error message is shown.
GADS now ignores Active Directory conflict (CNF:) and deleted (DEL:) objects.
Fixed an issue in which XML files created on a different system or by a different user couldn't be opened until the defaultPasswordEncrypted setting was manually cleared. Such files can now be opened and the user will be prompted to enter the password again if needed.
Fixed an issue in which GADS would always report that an object was inaccessible if there was an issue connecting to the LDAP server. Now, GADS reports the correct cause of the issue.
Fixed an issue where GADS would not correctly save XML configuration files with certain characters.
Release 3.1.6
What's NewSupport for structured names for Shared Contacts. You can use a combination of LDAP attributes to specify the full name of a shared contact. For example:
[prefix] - [givenName] [sn] [suffix]
Security enhancements. GADS configuration files are now tied to the system they were created on, for enhanced security. If you copy a configuration XML file to another system, you need to re-enter sensitive data, such as passwords and authorizations.
Performance improvements.
Miscellaneous bug fixes.
Improved error messages when a search rule references an LDAP entity that doesn't exist.
Support for LDAP servers that split group member results across multiple entities.
The Configuration Manager now supports displays with lower resolutions.
If a dynamic group search filter causes an error, the rest of the items sync correctly and the erroneous item is reported in the summary, instead of failing the entire sync.
Commas in Canonical Names of dynamic groups' members no longer cause the sync to fail.
GADS now correctly syncs group members who are suspended in Google Apps.
Release 3.1.3
What's NewEmail address rename detection. GADS can detect email address renames on your LDAP server and sync those renames to Google Apps. To use this feature, you need to specify a Unique Identifier Attribute under User Accounts > User Attributes in Configuration Manager. This attribute must have a unique value for each of your users, and the value must not change. The objectGUID attribute is a valid example for Active Directory systems.
GADS version check. GADS checks your current configuration to see whether a previous version of GADS was used to create it. If so, you must verify and save the configuration before using it.
Dynamic groups support. GADS supports dynamic (query-based) groups, where group membership is specified as a query. See Group Search Rules for more information.
64-bit support. A 64-bit version of GADS is now available. Users with compatible systems can use the 64-bit version to improve performance during large syncs.
OAuth 2.0. GADS now uses OAuth 2.0. Existing users of OAuth need to re-authenticate GADS to take advantage of OAuth 2.0.
Syncing groups no longer requires user search rules for newer configurations.
Active Directory users can now quickly configure GADS by generating default values for most attributes and search rules with a single click.
Miscellaneous bug fixes.
Release 3.0.6
What's NewNew look. GADS 3.0.6 has a cleaner, more intuitive user interface.
Configurable password length. Passwords generated by GADS now have a configurable length.
Miscellaneous bug fixes.
Release 2.1.6
What's NewMiscellaneous bug fixes.
Release 2.1.5
What's NewAdded the ability to synchronize only passwords that have changed since the previous sync.
Added the option to prevent a sync from suspending/deleting admin accounts not found in the LDAP server.
Improved performance of the sync simulation UI.
Added support for Base64-encoded passwords.
Logs are now encoded in UTF-8 by default to support non-ISO characters.
The logging level menu now displays options in decreasing order of verbosity.
Added logging for suspended accounts that are not deleted because of the current configuration.
Miscellaneous bug fixes.
Release 2.1.3
What's NewGoogle Apps Directory Sync 2.1.3 includes updates to improve stability and performance, but no new features. Following is a brief description of the issue resolved in this release.
"Invalid request URI" when updating an orgunit
Issue: When attempting to update an orgunit, Directory Sync sometimes failed with an error "Invalid request URI.".
Resolution: Updating orgunits now runs correctly.
Release 2.1.1
What's FixedGoogle Apps Directory Sync 2.1.1 includes multiple new features and fixed issues.
Following is a list of issues resolved in this release. Each issue includes the release number, a tracking number, and a brief description.
Performance Improvements
Release 2.1.1 includes substantial performance improvements, including parallel threads and faster retrieval of data. With the new release of Google Apps Directory Sync, you will experience faster performance of synchronizations.
Domain Replacement for User Profiles
In Release 2.1.1, the "Replace domain names in LDAP email addresses (of users and groups) with this domain name" setting will also affect User Profiles. To configure this setting, go to Google Apps Settings in Configuration Manager.
Multiple LDAP attributes support for Given Name and Family Name
In Release 2.1.1, you can specify multiple attributes for a given name or family name in LDAP Extended Attributes. Mark each LDAP attribute with square brackets. Set your LDAP Extended Attributes in Configuration Manager.
Suspend User Limit Provision
Google Apps Directory Sync includes the ability to limit the number of users that are deleted during synchronization. In Release 2.1.1, you can also set a similar limit for the number of users that are suspended during synchronization. Set this limit in the Sync Limits page of Configuration Manager.
Flush Cache During Simulated Synchronization
During simulated synchronization in Configuration Manager, you can clear out all remote cached data so that fresh data is pulled from Google Apps during the next simulation.
Fixed Issues
Release Notes now in new location
Instead of linking to a PDF file, Google Apps Directory Sync release notes are now published in the Help Center.
Misleading error message for Non-Unique Resource ID
Issue: When a Calendar Resource attribute is not unique, the error message does not give a clear description of the reason for failure.
Resolution: The error message for a non-unique Resource ID now shows that more than one resource with the same name were found.
Invalid characters not handled properly for user and group addresses
Issue: Invalid characters are not detected properly during synchronization.
Resolution: Invalid characters are now removed during synchronization.
Misleading message for extra Google Profiles
Issue: The message for extra Google user profiles says that accounts "might have to be deleted" which may be misleading.
Resolution: The warning message now notes that GADS will not sync these additional profiles.
Org-level exclusion rules do not apply if org email addresses have uppercase letters
Issue: Directory Sync will suspend or delete users that have uppercase letters in their email addresses, even if those users are excluded by an org-level exclusion rule.
Resolution: Directory Sync now uses org-level exclusion rules correctly for users with uppercase letters in their email addresses.
Group Display Name information missing from log
Issue: Groups display names were not listed in the synchronization logs.
Resolution: Display names now show correctly in logs.
Release 2.0.3
What's FixedGoogle Apps Directory Sync 2.0.3 includes one major fixed issue and no new features.
Following is a list of issues resolved in this release. Each issue includes the release number, a tracking number, and a brief description.
OAuth authentication fails with error "Token Invalid".
Issue: When attempting to synchronize Google Apps Directory Sync while using OAuth for authentication, all synchronization failed with an error "Token Invalid."
Resolution: Synchronization using OAuth authentication now runs properly and does not generate any OAuth errors.