Step One: Google Workspace Configuration
Browse to https://admin.google.com and log in with your Google Workspace Administrator credentials.
Click on the left icon bar and choose Apps > LDAP
If you do not see LDAP as an option, you may not have it on your account, you may need to upgrade your account.
Click “ADD CLIENT” near the upper right
Name your LDAP connection, this can be anything such as “K12 Asset Pro”, and optionally add a description
For Access Permissions, in “Verify User credentials” pick either “Entire domain” or “Selected Organizational Units”. If you have OU’s for inactive or graduated students/staff it is recommended to use the “Selected Organizational Units” option so that you can leave those inactive users unchecked and thus not syncd. Simply check the boxes for all active OU’s in your district. Under “Read user information” pick “Entire domain” “Entire domain” or “Selected Organizational Units”. Click “ADD LDAP CLIENT”
Click on “Download certificate”. Then click “CONTINUE TO CLIENT DETAILS”
In the Authentication pane, click on Access Credentials, then click “GENERATE NEW CREDENTIALS”. Copy the randomly generated Username and Password. Paste the username somewhere safe so you can use it in a later step as it will not be shown again. To copy the password, click the ‘eye’ icon or you can click the button that says ‘click to copy password’. Make sure to paste the password somewhere safe, as you will NOT be able to see it again once you close the dialog box.
Click on the triangle near the upper right to collapse the view.
Click anywhere in the Service Status box.
Select “ON for everyone” and then click “SAVE”
Step Two: K12 Asset Pro Setup:
In your K12 Asset Pro, click the gear icon in the upper right for Admin Settins. Then click “LDAP.”
Select the LDAP enabled checkbox.
Select the LDAP Password Sync checkbox.
Select the Active Directory checkbox and enter your domain name (without “www.”)
Leave “Append domain name to username field” unchecked
Open the ZIP file that you downloaded from google. Open the two resulting files in any text editor on your computer.
You’ll find two new fields in the Admin Settings > LDAP configuration of the UI: LDAP Client-Side TLS key and LDAP Client-Side TLS Certificate. Copy/Paste the contents of the .key file into the TLS key field, and the contents of the .crt file into the TLS Certificate field.
For LDAP Server put ldaps://ldap.google.com
Check the box for “Allow invalid SSL Certificate”
For LDAP Bind Username put the username you got from the Access Credentials step in Part One.
For LDAP Bind Password put the password you got from the Access Credentials step in Part One.
For Base Bind DN put your domain with dc= components for each part of your domain. For example, for divotassets.com we would put dc=divotassets,dc=com . For example.divotassets.com, we would put dc=example,dc=divotassets,dc=com.
For LDAP Filter use: &(cn=*)
For the Username Field you will probably want that to be mail, since it will allow you to use SAML Single-sign-on if you would like.
Last Name should be sn
First Name should be givenname
LDAP Authentication query should be mail=
LDAP Version should be 3
Employee Number should be employeenumber
Department should be departmentnumber
Email should be mail
Job Title should be title
Now click ‘Save’.
You must click ‘Save’ before you can test your connection!
If you try to click ‘Test LDAP Synchronization` without having hit the ‘Save’ button it will not work.
After clicking ‘Save’, you can now return to the LDAP settings page and should be able to click “Test LDAP Synchronization.” If that works, then your LDAP configuration is complete!
