I have been doing a lot of synchronization projects lately like SalesForce events and Google Calendar Events, Active Directory and some Payroll Application and now Google Groups and Active Directory Groups. It may sound too complicated to develop but trust me, it is not as complicated as you think.
For this article, I will be presenting a working code one way group membership synchronization that you can start with. I hope this post will show you the concepts needed to achieve our end result which is synchronizing members in Active Directory and Google Groups. Before you get started, I am assuming that you have Google Apps for your domain already setup and running for your organization, otherwise you need to have it first before proceeding.
Now let’s get started, first you need to download the Google Apps .NET Client Library which you can find here. Once downloaded, set it up then we're ready to roll.
Fire up your Visual Studio and add the following DLLs (Google.GData.Apps.dll and Google.GData.Client.dll) from the installed Google API folder, you will also need System.DirectoryServices and System.DirectoryServices.AccountManagement which can be found in the Assemblies repository.
First, we need to declare some reusable variables which are:
private string sDomain = "yourcompanydomain.com";
private string sGoogleServiceUrl = "https://apps-apis.google.com/a/feeds/group/2.0/";
private string sEmailRegEx = @"\w+([-+.']\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*";
We also need a method to Initialize Google Service, take note that I had also included methods for using proxy servers.
private GroupsService GoogleServiceAuthenticate()
{
Google.GData.Apps.Groups.GroupsService oGService = new GroupsService(sDomain,
"your_application");
oGService.setUserCredentials("username", "password");
GDataRequestFactory oRequestFactory = (
GDataRequestFactory)oGService.RequestFactory;
WebProxy oWebProxy = new WebProxy(WebRequest.DefaultWebProxy.GetProxy(
new Uri(sGoogleServiceUrl + sDomain)));
oWebProxy.Credentials = CredentialCache.DefaultCredentials;
oWebProxy.UseDefaultCredentials = true;
oRequestFactory.Proxy = oWebProxy;
return oGService;
}
Here are some Active Directory Methods that we will use, these are all derived from my AD Methods Library which can be found here.
private List<Principal> GetGroupsWithEmail(string sOU)
{
PrincipalContext oPrincipalContext;
oPrincipalContext = new PrincipalContext(ContextType.Domain, sDomain, sOU,
ContextOptions.Negotiate, "youractivedirectoryuser", "password");
var oListGroups = new List<Principal>();
PrincipalSearcher oPrincipalSearcher = new PrincipalSearcher();
GroupPrincipalExtended oGroupPrincipal = new GroupPrincipalExtended(
oPrincipalContext);
oGroupPrincipal.EmailAddress = "*@*";
oPrincipalSearcher.QueryFilter = oGroupPrincipal;
oListGroups = oPrincipalSearcher.FindAll().ToList<Principal>();
return oListGroups;
}
public string GetProperty(Principal oPrincipal, string sPropertyName)
{
DirectoryEntry oDE = (oPrincipal.GetUnderlyingObject() as DirectoryEntry);
if (oDE.Properties.Contains(sPropertyName))
{
return oDE.Properties[sPropertyName][0].ToString();
}
else
{
return string.Empty;
}
}
You also need to extend the GroupPrincipal class to expose the Email address field so that we can easily refer to it. By default, Email Addresses are not exposed in the GroupPrincipal and here is the full article explaining how to extend the GroupPrincipal Class to expose values not represented in the GroupPrincipal.
[DirectoryObjectClass("group")]
[DirectoryRdnPrefix("CN")]
public class GroupPrincipalExtended : GroupPrincipal
{
public GroupPrincipalExtended(PrincipalContext context) : base(context) { }
public GroupPrincipalExtended(PrincipalContext context, string samAccountName)
: base(context, samAccountName)
{
}
[DirectoryProperty("mail")]
public string EmailAddress
{
get
{
if (ExtensionGet("mail").Length != 1)
return null;
return (string)ExtensionGet("mail")[0];
}
set { this.ExtensionSet("mail", value); }
}
}
Now we got everything we need. Let’s do the actual syncing.
private void Synchronize()
{
List<Principal> oGroupsWithEmail = GetGroupsWithEmail(
"OU=Your Groups OU,DC=yourcompanydomain,DC=com");
foreach (GroupPrincipalExtended oGroup in oGroupsWithEmail)
{
List<string> oMembersInGoogle = new List<string>();
List<string> oMembersInAD = new List<string>();
try
{
GroupsService oGService = GoogleServiceAuthenticate();
Uri oGroupMemberUri = new Uri(sGoogleServiceUrl + sDomain + "/" +
oGroup.EmailAddress + "/member/");
AppsExtendedFeed oGoogleGroupMembers = oGService.RetrieveAllMembers(
oGroup.EmailAddress, true);
foreach (AtomEntry oUserFeedItem in oGoogleGroupMembers.Entries)
{
string sMemberEmail = oUserFeedItem.SelfUri.ToString().Replace("%40",
"@").Replace(oGroupMemberUri.ToString(), "");
oMembersInGoogle.Add(sMemberEmail.ToLower());
}
PrincipalSearchResult<Principal> oPrincipals = oGroup.GetMembers();
foreach (Principal oPrincipal in oPrincipals)
{
if (oPrincipal.StructuralObjectClass == "user")
{
UserPrincipal oUserPrincipal = (UserPrincipal)oPrincipal;
if (bool.Parse(oUserPrincipal.Enabled.ToString()) &&
(oUserPrincipal.EmailAddress != "" &&
oUserPrincipal.EmailAddress != null) &&
System.Text.RegularExpressions.Regex.IsMatch(
oUserPrincipal.EmailAddress, sEmailRegEx))
{
oMembersInAD.Add(oUserPrincipal.EmailAddress.ToLower());
}
}
if (oPrincipal.StructuralObjectClass == "group")
{
GroupPrincipal oGroupPrincipal = (GroupPrincipal)oPrincipal;
string sGroupPrincipalEmail = GetProperty(oGroupPrincipal, "mail");
if ((sGroupPrincipalEmail != "" &&
sGroupPrincipalEmail != null) &&
System.Text.RegularExpressions.Regex.IsMatch(
sGroupPrincipalEmail, sEmailRegEx))
{
oMembersInAD.Add(sGroupPrincipalEmail.ToLower());
}
}
}
foreach (string sMemberInAD in oMembersInAD)
{
if (!oMembersInGoogle.Contains(sMemberInAD.ToLower()))
{
oGService.AddMemberToGroup(sMemberInAD, oGroup.EmailAddress);
}
}
foreach (string sMemberInGoogle in oMembersInGoogle)
{
if (!oMembersInAD.Contains(sMemberInGoogle.ToLower()))
{
oGService.RemoveMemberFromGroup(sMemberInGoogle,
oGroup.EmailAddress);
}
}
}
catch (Google.GData.Apps.AppsException gEx)
{
if (gEx.ErrorCode == "1301")
{
CreateGoogleGroup(oGroup.EmailAddress, oGroup.DisplayName,
oGroup.Description, sEmailPermission, oMembersInAD);
}
else
{
}
}
catch (Exception ex)
{
}
}
}
Now the code above shows you how to synchronize Active Directory Group Members to Google Groups which includes adding and removing users. It is performing a one way sync which treats Active Directory as the master record repository. Also if you had noticed that there is a catch for the Google.GData.Apps.AppsException, this will catch any error that might be encountered on running the sync like 1301 which means Group with that Email Address was not found. For a full list of Error codes, refer to the list below (which I got here):
- 1000 – Unknown Error
- 1100 – User Deleted Recently
- 1101 – User Suspended
- 1200 – Domain User Limit Exceeded
- 1201 – Domain Alias Limit Exceeded
- 1202 – Domain Suspended
- 1203 – Domain Feature Unavailable
- 1300 – Entity Exists
- 1301 – Entity Does Not Exist
- 1302 – Entity Name Is Reserved
- 1303 – Entity Name Not Valid
- 1400 – Invalid Given Name
- 1401 – Invalid Family Name
- 1402 – Invalid Password
- 1403 – Invalid Username
- 1404 – Invalid Hash Function Name
- 1405 – Invalid Hash Digest Length
- 1406 – Invalid Email Address
- 1407 – Invalid Query Parameter Value
- 1500 – Too Many Recipients On Email List
In the next article, I will be expanding further on that CreateGoogleGroup function. Happy coding!
Submit an article or tip
