beautypg.com

Connections and security – Google Apps Directory Sync Administration Guide User Manual

Page 143

background image

Release 4.0.2 Troubleshooting

143

A group rule or exclusion rule doesn’t seem to be doing anything.

Check the scope of the rule. You may need to set the scope to SUBTREE.

A group rule generates errors.

Check the Group Search Attribute in LDAP Configuration. This is the field that contains the email address
of a group. In most cases, this will be

mail

.

How can I exclude a specific LDAP organization?

You cannot create an LDAP rule to exclude users in a specific LDAP organization. Instead, limit the
authority of the LDAP Administrator you use, removing access to any OUs you do not want to synchronize.

Connections and Security

What specific ports and URLs need to be accessible for Directory Sync to function?

Please note that this information can change over time. For the latest information, check for updates.

Directory Sync currently accesses the following URLs:

For information on how to create an up-to-date list of Google IP addresses, see the help center article,

Google IP address ranges

.

If GADS is unable to connect to the revocation list providers, you may see the following error in your GADS
log file:

PKIX path validation failed: java.security.cert.CertPathValidatorException: revocation
status check failed: no CRL found

Purpose

URL

Port Number

Authentication

https://www.google.com
https://www.googleapis.com

443

API access

https://apps-apis.google.com,
https://www.googleapis.com

443

Certificate Revocation
List Processing

http://crl.geotrust.com/crls/gtglobal.crl

http://pki.google.com/GIAG2.crl

http://g.symcb.com/crls/gtglobal.crl

80

Online Certificate Status
Protocol

http://g.symcd.com

http://clients1.google.com/ocsp

80

Certificate Authority

http://crl.verisign.net

80