Log into your G Suite admin console and from the “Home” page navigate to “Apps” then “LDAP”

In the LDAP apps page, click on “ADD CLIENT” button

Enter the “LDAP client name” and a “Description” and click on “CONTINUE”

Under Access Permissions, you will have 3 settings: 

Here you can specify to give the LDAP client access to the entire domain or to certain Organization Groups which you can set up in your G Suite account. In this example, we chose to go with the Entire domain option but you can choose the option that applies to your use case.

In the “Read group information” section, change the option to On and click “ADD LDAP CLIENT” button to create the client. 

 Note: Some LDAP clients such as SSSD perform a group lookup to obtain information about a user's group membership during authentication. To ensure authentication works for such LDAP clients, you'll need to turn on “Read group information”.

Wait for a few moments until LDAP client is added. Once done, you will be presented with a Google SSL certificate which you will need in order to connect to the LDAP services. 

Click on “Download certificate” and then “CONTINUE TO CLIENT DETAILS”

In the LDAP clients page click on Service status to be taken to the Status page

Note: The LDAP client details  page is where you can edit the client, modify the Access permissions,  re-download the SSL certificate and create Access credentials if needed.

In the Status page, select “ON for everyone” and click on “SAVE”

After clicking SAVE, the status will change to ON for everyone 

The GSuite Admin Console configuration is now complete. 

Although SSSD works with Ubuntu 18.04 and 16.04, itopia Virtual Workstation deployments only support Ubuntu 16.04. 

This process will require you to have an existing Virtual Workstation deployment where you can configure SSSD for LDAP authentication. Please follow this guide to create a deployment in the itopia portal.

SSH into the virtual workstation from the itopia portal (Cloud Manager > Instances > CONNECT

Once you’re connected to the instance the first thing you’ll need to do is update the packages. That is done with the following command:

After that’s done, run the following command to install the SSSD package:

After the packages are done installing, you will need to create a new file in /etc/sssd/ called sssd.conf. You can do that with the following command:

Your sssd.conf file should include the following:

Note: Please make sure to replace itopia.com, and dc=itopia,dc=com with your own domain information. The location of the tls cert and key can also change as well as the names.

When you created the LDAP client in the G Suite admin portal, an SSL certificate and key were generated for you. This certificate is used to authenticate the LDAP client and the service trying to connect to it. You will need to make the crt and key files available on the server. By default, Google linux instances disable password authentication so trying to use a client like winscp to upload the file will fail when trying to authenticate. 

Once the certificates have been saved on the server and placed any location you deem fit, modify the sssd.conf file to update the location and cert and key names for ldap_tls_cert and ldap_tls_key.

Now that both the cert and key are in place and the sssd.conf file is ready, you will need to modify the permissions of the sssd.conf file in order to let the service run. Run the following commands to modify the permissions:

Restart the SSSD service:

If everything is set correctly you shouldn’t see any messages and the service should start running. To verify that SSSD is running and connecting to the LDAP server you can run the following command with any of the users in your G Suite account:

The output should look something like this:

Restart the server after all of the above has been completed.

If you experience errors, can’t connect or view users, modify the sssd.conf file to include a debug_level for the services. See example below:

Once you have modified the debug_level on the sssd.conf file, you can check the following logs for errors:

/var/log/sssd/sssd.log

/var/log/sssd/sssd_domain.com.log (replace domain.com with your domain)

/var/log/sssd/sssd_pam.log

/var/log/sssd/sssd_nss.log

You can also check the G Suite portal for LDAP logs. In the G Suite admin portal from the Home screen go to Reporting > Audit

In the reports page click on LDAP under Audit

From this page, you can see if there are any failed or successful attempts to connect to the LDAP client. You can also see who’s logged in to the desktops through this LDAP Client.