Connections and security – Google Apps Directory Sync Administration Guide User Manual
Page 143

Release 4.0.2 Troubleshooting
143
A group rule or exclusion rule doesn’t seem to be doing anything.
Check the scope of the rule. You may need to set the scope to SUBTREE.
A group rule generates errors.
Check the Group Search Attribute in LDAP Configuration. This is the field that contains the email address
of a group. In most cases, this will be
.
How can I exclude a specific LDAP organization?
You cannot create an LDAP rule to exclude users in a specific LDAP organization. Instead, limit the
authority of the LDAP Administrator you use, removing access to any OUs you do not want to synchronize.
Connections and Security
What specific ports and URLs need to be accessible for Directory Sync to function?
Please note that this information can change over time. For the latest information, check for updates.
Directory Sync currently accesses the following URLs:
For information on how to create an up-to-date list of Google IP addresses, see the help center article,
.
If GADS is unable to connect to the revocation list providers, you may see the following error in your GADS
log file:
PKIX path validation failed: java.security.cert.CertPathValidatorException: revocation
status check failed: no CRL found
Purpose
URL
Port Number
Authentication
https://www.google.com
https://www.googleapis.com
443
API access
https://apps-apis.google.com,
https://www.googleapis.com
443
Certificate Revocation
List Processing
http://crl.geotrust.com/crls/gtglobal.crl
http://pki.google.com/GIAG2.crl
http://g.symcb.com/crls/gtglobal.crl
80
Online Certificate Status
Protocol
http://g.symcd.com
http://clients1.google.com/ocsp
80
Certificate Authority
http://crl.verisign.net
80