Synchronizing Google Groups and Active Directory Group Members
4.80/5 (2 votes)
How to synchronize Google groups and Active Directory group members
I have been doing a lot of synchronization projects lately like SalesForce events and Google Calendar Events, Active Directory and some Payroll Application and now Google Groups and Active Directory Groups. It may sound too complicated to develop but trust me, it is not as complicated as you think.
For this article, I will be presenting a working code one way group membership synchronization that you can start with. I hope this post will show you the concepts needed to achieve our end result which is synchronizing members in Active Directory and Google Groups. Before you get started, I am assuming that you have Google Apps for your domain already setup and running for your organization, otherwise you need to have it first before proceeding.
Now let’s get started, first you need to download the Google Apps .NET Client Library which you can find here. Once downloaded, set it up then we're ready to roll.
Fire up your Visual Studio and add the following DLLs (Google.GData.Apps.dll and Google.GData.Client.dll) from the installed Google API folder, you will also need System.DirectoryServices and System.DirectoryServices.AccountManagement which can be found in the Assemblies repository.
First, we need to declare some reusable variables which are:
private string sDomain = "yourcompanydomain.com";
private string sGoogleServiceUrl = "https://apps-apis.google.com/a/feeds/group/2.0/";
private string sEmailRegEx = @"\w+([-+.']\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*";
We also need a method to Initialize Google Service, take note that I had also included methods for using proxy servers.
///// <summary>
/// Initializes Google Service
/// </summary>
/// <returns>Autheticated Session to Google Service</returns>
private GroupsService GoogleServiceAuthenticate()
{
//Initialize Calendar Service
Google.GData.Apps.Groups.GroupsService oGService = new GroupsService(sDomain,
"your_application");
oGService.setUserCredentials("username", "password");
//If you are using proxy servers
GDataRequestFactory oRequestFactory = (
GDataRequestFactory)oGService.RequestFactory;
WebProxy oWebProxy = new WebProxy(WebRequest.DefaultWebProxy.GetProxy(
new Uri(sGoogleServiceUrl + sDomain)));
oWebProxy.Credentials = CredentialCache.DefaultCredentials;
oWebProxy.UseDefaultCredentials = true;
oRequestFactory.Proxy = oWebProxy;
return oGService;
}
Here are some Active Directory Methods that we will use, these are all derived from my AD Methods Library which can be found here.
/// <summary>
/// Returns Groups with Email Addresses
/// </summary>
/// <param name="sOU">The Organizational Unit To Search</param>
/// <returns>All Groups with Email Addresses on the Specified OU</returns>
private List<Principal> GetGroupsWithEmail(string sOU)
{
PrincipalContext oPrincipalContext;
oPrincipalContext = new PrincipalContext(ContextType.Domain, sDomain, sOU,
ContextOptions.Negotiate, "youractivedirectoryuser", "password");
var oListGroups = new List<Principal>();
PrincipalSearcher oPrincipalSearcher = new PrincipalSearcher();
GroupPrincipalExtended oGroupPrincipal = new GroupPrincipalExtended(
oPrincipalContext);
//Get Anything with @ that indicates an email, I'm just lazy you can
//filter it better
oGroupPrincipal.EmailAddress = "*@*";
oPrincipalSearcher.QueryFilter = oGroupPrincipal;
oListGroups = oPrincipalSearcher.FindAll().ToList<Principal>();
return oListGroups;
}
/// <summary>
/// Gets the Property of a Directory Entry
/// </summary>
/// oPrincipal">Prinicipal Object</param>
/// sPropertyName">The Name of the Property to get</param>
/// <returns>Value of the Propery Object</returns>
public string GetProperty(Principal oPrincipal, string sPropertyName)
{
DirectoryEntry oDE = (oPrincipal.GetUnderlyingObject() as DirectoryEntry);
if (oDE.Properties.Contains(sPropertyName))
{
return oDE.Properties[sPropertyName][0].ToString();
}
else
{
return string.Empty;
}
}
You also need to extend the GroupPrincipal class to expose the Email address field so that we can easily refer to it. By default, Email Addresses are not exposed in the GroupPrincipal and here is the full article explaining how to extend the GroupPrincipal Class to expose values not represented in the GroupPrincipal.
[DirectoryObjectClass("group")]
[DirectoryRdnPrefix("CN")]
public class GroupPrincipalExtended : GroupPrincipal
{
public GroupPrincipalExtended(PrincipalContext context) : base(context) { }
public GroupPrincipalExtended(PrincipalContext context, string samAccountName)
: base(context, samAccountName)
{
}
[DirectoryProperty("mail")]
public string EmailAddress
{
get
{
if (ExtensionGet("mail").Length != 1)
return null;
return (string)ExtensionGet("mail")[0];
}
set { this.ExtensionSet("mail", value); }
}
}
Now we got everything we need. Let’s do the actual syncing.
private void Synchronize()
{
//Get all Active Directory Groups with Email
List<Principal> oGroupsWithEmail = GetGroupsWithEmail(
"OU=Your Groups OU,DC=yourcompanydomain,DC=com");
foreach (GroupPrincipalExtended oGroup in oGroupsWithEmail)
{
List<string> oMembersInGoogle = new List<string>();
List<string> oMembersInAD = new List<string>();
try
{
//Instantiate Google Service
GroupsService oGService = GoogleServiceAuthenticate();
//Set User URI
Uri oGroupMemberUri = new Uri(sGoogleServiceUrl + sDomain + "/" +
oGroup.EmailAddress + "/member/");
//Get Google Group Members
AppsExtendedFeed oGoogleGroupMembers = oGService.RetrieveAllMembers(
oGroup.EmailAddress, true);
foreach (AtomEntry oUserFeedItem in oGoogleGroupMembers.Entries)
{
string sMemberEmail = oUserFeedItem.SelfUri.ToString().Replace("%40",
"@").Replace(oGroupMemberUri.ToString(), "");
//Add in Google Members List for Later Comparison
oMembersInGoogle.Add(sMemberEmail.ToLower());
}
//Get AD Group Members
PrincipalSearchResult<Principal> oPrincipals = oGroup.GetMembers();
foreach (Principal oPrincipal in oPrincipals)
{
//If Principal Type is User
if (oPrincipal.StructuralObjectClass == "user")
{
UserPrincipal oUserPrincipal = (UserPrincipal)oPrincipal;
if (bool.Parse(oUserPrincipal.Enabled.ToString()) &&
(oUserPrincipal.EmailAddress != "" &&
oUserPrincipal.EmailAddress != null) &&
System.Text.RegularExpressions.Regex.IsMatch(
oUserPrincipal.EmailAddress, sEmailRegEx))
{
//Add in Active Directory Email List for Later Comparison
oMembersInAD.Add(oUserPrincipal.EmailAddress.ToLower());
}
}
//If Principal Type is Group
if (oPrincipal.StructuralObjectClass == "group")
{
GroupPrincipal oGroupPrincipal = (GroupPrincipal)oPrincipal;
string sGroupPrincipalEmail = GetProperty(oGroupPrincipal, "mail");
if ((sGroupPrincipalEmail != "" &&
sGroupPrincipalEmail != null) &&
System.Text.RegularExpressions.Regex.IsMatch(
sGroupPrincipalEmail, sEmailRegEx))
{
//Add in Active Directory Email List for Later Comparison
oMembersInAD.Add(sGroupPrincipalEmail.ToLower());
}
}
}
//Add Members in Google
foreach (string sMemberInAD in oMembersInAD)
{
//Check if Email is in Active Directory Email List but not
//in Google Members List
if (!oMembersInGoogle.Contains(sMemberInAD.ToLower()))
{
oGService.AddMemberToGroup(sMemberInAD, oGroup.EmailAddress);
}
}
//Remove Members in Google
foreach (string sMemberInGoogle in oMembersInGoogle)
{
if (!oMembersInAD.Contains(sMemberInGoogle.ToLower()))
{
//Check if Email is in Google Members List but not in
//Active Directory Email List
oGService.RemoveMemberFromGroup(sMemberInGoogle,
oGroup.EmailAddress);
}
}
}
catch (Google.GData.Apps.AppsException gEx)
{
if (gEx.ErrorCode == "1301")
{
//Entity Not found which means, Google Groups is not existing
//Do your create group method here
CreateGoogleGroup(oGroup.EmailAddress, oGroup.DisplayName,
oGroup.Description, sEmailPermission, oMembersInAD);
}
else
{
//Other Google Error Codes to Catch
}
}
catch (Exception ex)
{
//Exception
}
}
}
Now the code above shows you how to synchronize Active Directory Group Members to Google Groups which includes adding and removing users. It is performing a one way sync which treats Active Directory as the master record repository. Also if you had noticed that there is a catch for the Google.GData.Apps.AppsException, this will catch any error that might be encountered on running the sync like 1301 which means Group with that Email Address was not found. For a full list of Error codes, refer to the list below (which I got here):
- 1000 – Unknown Error
- 1100 – User Deleted Recently
- 1101 – User Suspended
- 1200 – Domain User Limit Exceeded
- 1201 – Domain Alias Limit Exceeded
- 1202 – Domain Suspended
- 1203 – Domain Feature Unavailable
- 1300 – Entity Exists
- 1301 – Entity Does Not Exist
- 1302 – Entity Name Is Reserved
- 1303 – Entity Name Not Valid
- 1400 – Invalid Given Name
- 1401 – Invalid Family Name
- 1402 – Invalid Password
- 1403 – Invalid Username
- 1404 – Invalid Hash Function Name
- 1405 – Invalid Hash Digest Length
- 1406 – Invalid Email Address
- 1407 – Invalid Query Parameter Value
- 1500 – Too Many Recipients On Email List
In the next article, I will be expanding further on that CreateGoogleGroup function. Happy coding!