Synchronizing User Accounts with G Suite
In addition to adding users manually as described in chapter User Management, MailStore Server can synchronize its internal user database with the G Suite account of your company.
During synchronization user information such as user names and email addresses are read from the G Suite account and recorded in MailStore Server's user database. No changes are made to the G Suite account itself by MailStore Server. The scope of the synchronization can be limited through filters.
- 1 Prepare the G Suite account
- 2 Accessing Directory Service Integration
- 3 Connection to G Suite
- 4 Assigning Default Privileges
- 5 Running Directory Services Synchronization
- 6 Login with G Suite Account Credentials
Prepare the G Suite account
In order to synchronize account information from G Suite, MailStore Server requires a service account which has been granted permission to access the G Suite account. The same service account is later used for archiving email from G Suite, too.
Creating a Project
Before MailStore is able to connect to G Suite accounts, a project has to be created. In Google's terminology, a project is the collection of all settings, credentials and meta data of an application that uses Google Developer APIs or Google Cloud resources.
- Go to the Google Developers Console.
- If prompted, login using a Google Account with administrative rights.
- If no project exists, click Create on the dashboard. Otherwise open the Project drop-down list in the header bar and click New Project.
- Name the project, e.g. MailStore API Access. By default a random Project ID is assigned, change it if desired. Click Create.
- Once the project has been created, APIs & Services is shown.
- Make sure that you have selected the newly created project. You can change the project by using the drop-down list.
- Navigate to the API library.
- In the library, enable Admin SDK and Gmail API. You can navigate back to the overview by clicking Google APIs in the top navigation bar.
- In Credentials, click Create Credentials then select Service account key from the drop-down list.
- Select New service account from the Service account drop-down list.
- Enter a name for the service account key. The service account does not require permissions on project level, therefore do not select a role.
- Select the JSON key type and click on Create.
- Acknowledge the next dialog by clicking Create without role.
- The JSON file will be downloaded. Save the JSON file (e.g. MailStore API Access-e035d2ad4f35.json) to a folder on the MailStore Server.
- Close the Private key saved to your computer dialog.
- Click on Manage service accounts.
- Click on the 3-dots-drop-down list and select "Edit".
- In the "Edit service account" dialog, click Show domain-wide delegation and check the box Enable G Suite Domain-wide Delegation.
- Enter MailStore as Product name for the consent screen.
- Click on Save.
- Click on the service account to see its service account details. Note the unique ID (Client ID) and the email address shown for use in the next step.
Grant access to the required APIs
Once created, grant the project access to the APIs used by MailStore Server's Directory Services module.
- Go to your G Suite domain’s Admin console.
- Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls. If you can't see the controls, make sure you're signed in as an administrator for the domain.
- Click on Basic Settings.
- Make sure that the setting under Less secure apps is not set to Disable access to less secure apps for all users (Recommended). If it is, choose one of the other options and save the changes.
- Navigate back to Security.
- Select API reference from the list of options.
- Enable the API access and save the changes.
- Select Advanced settings from the list of options. If this section is not visible, click on Show more first.
- Select Manage API client access in the Authentication section.
- In the Client name field enter the service account's Unique ID (Client ID) (e.g. 108878593494909748351).
- In the One or More API Scopes field enter the following scopes:
- https://mail.google.com/, https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly
- Click Authorize.
Accessing Directory Service Integration
- Log on to MailStore Client as a MailStore Server administrator.
- Click on Administrative Tools > Users and Privileges and then on Directory Services.
- In the Integration section, change the directory service type to G Suite.
Connection to G Suite
For synchronization MailStore Server requires information on how to connect to the G Suite.
- Key ID
To import the private key, select the JSON file (e.g. MailStore API Access-e035d2ad4f35.json) that has been generated by Google for the service account.
- Service Account
The service account is determined automatically from the JSON file.
- User Name
The email address of a G Suite Administrator (e.g. firstname.lastname@example.org).
User Database Synchronization
After configuring the connection settings as described above, you can specify filter criteria for the G Suite synchronization in this section.
- Sync only these groups
Choose one or several G Suite groups if you only want their members to be created as MailStore Server users. That way it's possible to exclude certain users from being synchronized to MailStore Server.
- Automatically delete users in MailStore Server
Here you can choose whether users that have been deleted in the G Suite Account will also be deleted in the MailStore user database by the synchronization. If the archive folder of such a user already contains archived emails, only the user entry but not its archive folder will be deleted in MailStore. Additionally, only MailStore users that have their authentication method set to Directory Services will be deleted.
Assigning Default Privileges
By default, users that have been synchronized to MailStore Server from G Suite Account have the privilege to log on to MailStore Server as well as read access to their own user archive.
You can configure those default privileges before synchronization, for example, to assign the privilege Archive E-mail to all new users. To do this, click on Default Privileges...
More information on managing user privileges and their effects is available in the chapter Users, Folders and Settings which also has details on editing existing privileges.
Running Directory Services Synchronization
Click on Test Settings to check synchronization configuration and the results returned by the G Suite Account without any changes to the MailStore Server user database being actually committed.
To finally run the synchronization, click on Synchronize now. The results are shown with any changes committed to the MailStore Server user database.
You can test the authentication for a user by first selecting him from the list and then clicking on the button on the lower left. You will now be asked for that user's password. Upon clicking OK you'll receive a message whether the authentication has been successful.
Important Notice: For authentication with G Suite to work, the setting Allow less secure apps of the respective G Suite user has to turned on if it has not been enforced for all users (see above).
Login with G Suite Account Credentials
After synchronization MailStore users can log on to MailStore Server via Standard Authentication with their G Suite Account username and G Suite Account password.