Using Google Workspace accounts via LDAP as central authentication method for Ubuntu Linux

Published by jfn on September 25, 2023

With Google Workspace, some of the more enterprise focused licenses allow one to expose the users & groups created in the Google workspace via secure LDAP and thus allow remote secure LDAP clients to authenticate with the Google Workspace users & passwords.

By having this option, one can consolidate authentication for multiple systems and rely on Google Workspace providing a central user & group inventory and access control. This simplifies access control & allow a common password policy enforcement.

In this first example of a series, we look at how to configure this with Ubuntu Linux (example using Ubuntu 22.04 LTS).

First of all one need to configure the secure LDAP service in the Google Workspace. Google provides a guideline on how to do this here.

When finished with the Google Workspace configuration, you should have two certificate files from that configuration, one with the CRT and one with the KEY. We will need these two certificate files later, so make a copy.

For some LDAP clients, like pfSense, you also need a specific user & password, but with the Ubuntu client this is not needed, so in this guide we just need the two certificates to make it work.

On the Ubuntu machine, the process is to install sssd first. This is the software allowing the system to authenticate via secure LDAP :

sudo apt install sssd sssd-tools sssd-ldap ldap-utils

Then place the content of the Google LDAP CRT certificate into the following file :

/etc/sssd/ldap.google.com.crt

And place the content of the Google LDAP KEY certificate into the following file :

/etc/sssd/ldap.google.com.key

Then set proper permissions :

sudo touch /etc/sssd/sssd.conf
sudo chmod 600 /etc/sssd/ldap.google.com.* /etc/sssd/sssd.conf

Then put the following in /etc/sssd/sssd.conf (adjust example.com to fit your domain) :

[sssd]

#services = nss, pam
domains = example.com

[domain/example.com]
cache_credentials = true
ldap_tls_cert = /etc/sssd/ldap.google.com.crt
ldap_tls_key = /etc/sssd/ldap.google.com.key
ldap_uri = ldaps://ldap.google.com:636
ldap_search_base = dc=example,dc=com
ldap_user_search_base = ou=users,dc=example,dc=com?subtree?(memberOf= cn=unix-users,ou=groups,dc=example,dc=com)?ou=users,dc=example,dc=com?subtree?(memberOf= cn=unix-admins,ou=groups,dc=example,dc=com)
ldap_group_search_base = ou=groups,dc=example,dc=com
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307bis
ldap_user_uuid = entryUUID
enumerate = false
# Option to make TLS connection with with Google Workspace
ldap_tls_cipher_suite = NORMAL:!VERS-TLS1.3

#ldap_library_debug_level = -1

#Replace LDAP primary group ID with specific group ID (in this case the group users in Ubuntu)
override_gid = 100

In the example configuration file above, the users are forced to have group ID 100 as primary group. This is the ID of the local users group on Ubuntu. If this is not set, each user will have a group ID matching its user ID which is a group ID number likely not present on the local system.

For ease of giving access & sharing on the system, having a common group makes it easier. It doesn’t have to be the primary group, so you can adjust this as needed, or simply comment it out.

Then enable automatic home directory creation :

sudo pam-auth-update --enable mkhomedir

And finally restart sssd to enable all the changes :

sudo service sssd restart

This will allow users to login to a Linux machine with the Google username & password. Their $HOME will be /home/$USERNAME
The override_gid line in the config file is set to 100 in the example. Group 100 is the local UNIX group users. If this is not set, the group ID will be the same as the user ID and not map to any locally defined group, so for file server sharing purposes it’s easiest if the users are members of the same common primary group.
The LDAP authentication is set up with a filter to only allow Google users that have membership of the Google group unix-users and/or unix-admins.

For SUDO permissions, the idea is that only members of the Google group unix-admins will have access. This can be enabled by adding the following to /etc/sudoers :

%unix-admins ALL=(ALL:ALL) ALL

Here’s an example with a user called foo logged in via Google LDAP authentication :

foo@ldap-test:~$ id
uid=1689664894(foo) gid=100(users) groups=100(users),186376791(unix-users),199406316(unix-admins),207652195(proxmox-users),510719476(sales),634934429(snailmail),918020421(corporate),1103606151(billing),1243675829(vpn-users),1487242262(pfsense-admins),1544347971(info),1714853775(proxmox-admins)
foo@ldap-test:~$ getent passwd foo
foo::1689664894:100:foo:/home/foo:/bin/bash foo@ldap-test:~$ getent group unix-users unix-users::186376791:foo
foo@ldap-test:~$ getent group unix-admins
unix-admins:*:199406316:foo