Request Demo
Features Use Cases About Documentation Contact Request Demo

Google Workspace (Secure LDAP)

Authenticate users via Google Secure LDAP with client certificates

What's This For?

If your organization uses Google Workspace, you can authenticate network users against Google's Secure LDAP service. This provides real password verification and group membership lookups directly against your Google Workspace directory.

How it works: Warden connects to Google's LDAP server (ldap.google.com) using client certificates you download from Google Admin Console. When users authenticate, their passwords are verified directly by Google.

Requirements

  • Google Workspace Business Plus, Enterprise, or Education - Secure LDAP requires these tiers
  • Google Admin Console access - Super Admin or delegated admin privileges
  • Client certificate - Downloaded from Google Admin Console

Not available on lower tiers. Google Secure LDAP is only available with Business Plus, Enterprise, Enterprise for Education, or Cloud Identity Premium. Check your subscription before proceeding.

Setting Up Google Secure LDAP

Step 1: Enable Secure LDAP in Google Admin Console

  1. Go to Google Admin Console
  2. Navigate to AppsLDAP
  3. Click Add Client
  4. Give your client a name (e.g., "NocTel Warden")
  5. Click Continue

Step 2: Configure Access Permissions

  1. Under Access Permissions, configure:
    • Verify user credentials: Entire domain (or specific OUs)
    • Read user information: Entire domain (or specific OUs)
    • Read group information: On (if you want group-based access rules)
  2. Click Add LDAP Client

Step 3: Download the Certificate

  1. After creating the client, click Download Certificate
  2. Google will download a ZIP file containing:
    • A .crt file (client certificate)
    • A .key file (private key)
  3. Keep these files secure - they provide access to your directory

Certificate Security: Treat these files like passwords. Do not share them or commit them to version control. Anyone with these files can query your Google Workspace directory.

Step 4: Enable the LDAP Client

  1. Back in Google Admin Console, find your new LDAP client
  2. Click the three-dot menu and select Turn On
  3. The status should change to "On"

Step 5: Configure in Warden

  1. Go to My Providers
  2. Click Add Provider
  3. Select Google Workspace
Name
Something recognizable
Example: "Google Workspace" or "Corp Google"
Domain
Your Google Workspace domain
Example: yourcompany.com
Client Certificate
Upload the .crt file or paste its contents
Client Private Key
Upload the .key file or paste its contents

Tip: You can upload the ZIP file directly from Google, and Warden will automatically extract the certificate and key for you.

Testing Your Connection

  1. Save the identity provider
  2. Click the menu (⋮) next to your provider
  3. Select Test Connection
  4. Enter a Google Workspace user's email and password
  5. Click Run Test

Users with 2-Step Verification: If the Google account has 2FA enabled, the user must use an App Password instead of their regular password. App Passwords can be generated at myaccount.google.com/apppasswords.

Success! You'll see the user's details from Google Workspace, including their name, email, and group memberships.

Output Fields

When authentication succeeds, the following fields are available for use in policies and access rules:

email
User's primary Google Workspace email address
cn
User's common name (full name)
givenName
User's first name
sn
User's last name (surname)
uid
User's unique identifier
groups
Array of Google Workspace group names the user belongs to
memberOf
Array of group DNs (full distinguished names)

Troubleshooting

"Connection failed" or "Certificate error"

What's happening: The certificate isn't being accepted.

Things to check:

  • Is the LDAP client enabled (turned on) in Google Admin Console?
  • Did you paste the complete certificate including BEGIN/END lines?
  • Is the certificate still valid (not expired)?
  • Try re-downloading the certificate from Google

"User not found"

What's happening: The user doesn't exist or can't be found.

Things to check:

  • Is the domain correct in your configuration?
  • Does the user exist in Google Workspace?
  • Is the user in an OU that the LDAP client has access to?
  • Try using the full email address (user@domain.com)

"Invalid credentials" or "Bind failed"

What's happening: The password is wrong or the user can't authenticate.

Things to check:

  • Does the user have 2FA enabled? If so, they must use an App Password instead of their regular Google password
  • Is the password correct?
  • Is "Verify user credentials" enabled for this user's OU?
  • Is the user account active (not suspended)?
  • Has the user set up their Google account password?

"No groups returned"

What's happening: Group membership isn't being retrieved.

Things to check:

  • Is "Read group information" enabled in the LDAP client settings?
  • Is the user actually a member of any groups?
  • Try waiting a few minutes - group changes can take time to propagate

Security Best Practices

  • Protect your certificates - Store them securely, never commit to repos
  • Limit access permissions - Only grant access to OUs that need it
  • Use separate clients - Create a dedicated LDAP client for Warden
  • Monitor usage - Review LDAP client activity in Google Admin Console
  • Rotate certificates - Regenerate certificates periodically
  • Disable unused clients - Turn off LDAP clients you no longer need

What's Next?

Back to Help Overview