Google Apps with Microsoft Active Directory

Google Apps with Microsoft Active Directory:

About Google Apps Directory Sync:

With Google Apps Directory Sync (GADS), you can automatically add, modify, and delete users, groups, and non-employee contacts to synchronize the data in your G Suite domain with your LDAP directory server. The data in your LDAP directory server is never modified or compromised. GADS is a secure tool that help you easily keep track of users and groups.

Key benefits of GADS:

  • Synchronizes your G Suite user accounts to match the user data in an existing LDAP server.
  • Supports sophisticated rules for custom mapping of users, groups, non employee contacts, user profiles, aliases, calendar resources, and exceptions.
  • Performs a one-way synchronization. Data on your LDAP server is never updated or altered.
  • Runs as a utility in your server environment. There is no access to your LDAP directory server data outside your perimeter.
  • Includes extensive tests and simulations to ensure correct synchronization.
  • Includes all necessary components in the installation package.

Configuration tips:

  • Use the 64-bit version of GADS if you plan to install it on a 64-bit compatible server. This version performs better than other versions when you need to synchronize large amounts of data.
  • Never share your GADS configuration files. The files contain sensitive information about your LDAP server and your G Suite domain.
  • Simulate a synchronization before you perform a real synchronization. And, simulate again whenever you upgrade GADS or change a configuration. If you don’t, you may accidentally delete an account or restrict a user.

How does it work?

Google offers a free tool called Google Apps Directory Sync. This is a program which can be installed on any system in your internal network (Windows XP/7/2003/2008, Linux or Solaris. The tool synchronizes Google Apps users with Active Directory (or other directory) users.

you must have administrator rights both in AD and your Google Apps environments. A setting in the Google Apps Control Panel called “Enable provisioning API” must be turned on.

To enable Domain Admin API access:

  1. Sign into the Google Admin console.
  2. From the dashboard, go to Security> API reference.
  3. CheckEnable API access.
  4. Click Save changes.
Step 1: Prepare your servers

Download and install Google Apps Directory Sync.

Before you begin, make sure you can meet the system requirements for Google Apps Directory Sync (GADS).

Click on the below given link to download the GADS installer:

Use the 64-bit version of GADS if you plan to install it on a 64-bit compatible server. This version performs better than other versions when you need to synchronize large amounts of data.

Step 2: Setup Configuration Manager:

Configuration Manager is a step-by-step user interface that guides you through creating, testing, and running a synchronization in Google Apps Directory Sync (GADS).

Open Configuration Manager from the Start menu (Shown in Figure GADS-1)


Specify your general settings:

On the General Settings page, specify what you intend to synchronize from your LDAP server. Select one or more from:


Define your G Suite settings:

On the Google Apps Configuration page of Configuration Manager, enter your G Suite (Google Apps) domain connection information.

Click the tabs to enter the following information:

  • Connection settings: If you check theReplace domain names in LDAP email addresses box, all LDAP email addresses are changed to match the domain listed in the Domain Name

Authorizing access using OAuth:

  1. ClickAuthorize Now to set up your authorization settings and create a verification code.
  2. ClickSign in to open a browser window and sign into your G Suite domain with your super administrator username and password.
  3. Copy the token that is displayed.
  4. Enter the token in theVerification Code field and click Validate.
  • Proxy settings: Provide any necessary network proxy settings here. If your server doesn’t require a proxy to connect to the Internet, skip this tab.
  • Exclusion rules: Use exclusion rules to preserve information in your G Suite domain that isn’t in your LDAP system (for example, users that are only in G Suite). See more about using exclusion rules.

Exclusion rules allow you to omit specific users, user profiles, groups, organizational units, calendar resources, and other data from the Google Apps Directory Sync (GADS) process. For example, you can add a user profile exclusion rule to exclude specific user profile information that you don’t want to sync in your G Suite domain.


Define your LDAP settings:

On the LDAP Configuration page of Configuration Manager, enter your LDAP server information. After you configure the LDAP authentication settings, click Test Connection. Configuration Manager connects to your LDAP server and attempts to sign in to verify the settings you entered.

If you selected Open LDAP or Active Directory® as your LDAP server, click Use defaults at the bottom of every configuration page to quickly set up the sync with default parameter. You can then customize them to your needs.

For detail on the LDAP Configuration fields in Configuration Manager, see LDAP connection settings.


Click on Test Connection


Leave the Org Units settings and move to User Accounts

User Accounts

Specify what attributes GADS uses when generating the LDAP user list on the User accounts page -> User Attributes:

Email address attribute The LDAP attribute that contains a user’s primary email address. The default is mail.
(Optional) Unique identifier attribute An LDAP attribute that contains a unique identifier for every user entity on your LDAP server. Providing this value enables GADS to detect when users are renamed on your LDAP server and sync those changes to the G Suite domain. This field is optional, but recommended.

Example: objectGUID

Under Google Apps Users deletion/Suspension policy

Select -> Suspend Google Apps users not found in LDAP, instead of deleting them: Active users in G Suite will be suspended if they are not in your LDAP server. Suspended users are not altered.

Select -> Don’t suspend or delete Google Apps admins not found in LDAP


Additional user attributes: Additional user attributes are optional LDAP attributes that you can use to import additional information about your G Suite users, including passwords. Enter your additional user attributes on the User accounts page.


A brief look at how to create a user in Active Directory and then use Google Apps Directory Sync (GADS) to provision the user in your Google Apps domain.

Leave the remaining Settings like Groups, user profiles, Shared Contacts, Calendar Resources as it is.Go to



Logging: Enter the directory and file name to use for the log file or click Browse to browse your file system.

Example: sync.log


Click Simulate sync to test your settings. During simulation, Configuration Manager will:

  • Connect to your G Suite domain and generate a list of users, groups, and shared contacts.
  • Connect to your LDAP directory server and generate a list of users, groups, and shared contacts.
  • Generate a list of differences.
  • Log all events.

If the simulation is successful, Configuration Manager generates a Proposed Change Report that shows what changes would have been made to your G Suite user list.


Note: Running a simulated synchronization does not update or change your LDAP server data or your users accounts in G Suite. The simulation is only for checking and testing purposes.

When you are confident that the configuration is correct, click Sync & apply changes to initiate the synchronization.

Source: G Suite




G Suite (Google Apps): How to send reply mail from Alias eMail ID?

Every Google Apps user has a primary address for signing in to their account and receiving mail. If a user wants another address for receiving mail, you can give them an email alias.

For example, if wants to also receive the email sent to, create the alias Mail sent to either address then appears in mail@lakkireddymadhu’s Gmail inbox.

You can add up to 30 email aliases for each user.

Through Admin login to G Suite will add alias email ID to the original user email ID.

Log on to your domain in G Suite -> Users -> Click on which user ID you want to add alias Account -> Aliases -> Add an alias -> click on Save ( Same sequence given below images


                                                                                                                  G Suite -1
                                                                                                          G Suite-2
                                                                                                                    G Suite-3


Mail sent to either address then appears in mail@lakkimadhu’s Gmail inbox.

If you received any mail to the alias ID and you want to reply to that from instead of , then follow the below given procedure.

Sign into your Google Apps email (

Click the gear in the top right gear

  1. Click on the -> Settings -> Accounts -> Add another email address you own
                                          G Suite-4
                                                                                                                           G Suite-5
  1. click on Add alias email address.
  1. In the Email address field, enter your name and alternate email address.
  2. Click on Next Step. It saves automatically.
                                                                                                             G Suite-6

5. You can view both ( primary and alias email IDs) in the Settings. Image is given below

                                                                                                                 G Suite-7

Now Click on Compose, below given pop-up opens.

Click on the From tab ( arrow mark shown- drop down)

                                                                                    G Suite-8

You can view both the Ids, select to send mail from the Alias email ID / reply mail.

Happy computing🙂

Source: Google

Authenticating SSL VPN users using LDAP

This example illustrates how to configure a FortiGate to use LDAP authentication to authenticate remote SSL VPN users. With a properly configured LDAP server, user and authentication data can be maintained independently of the FortiGate, accessed only when a remote user attempts to connect through the SSL VPN tunnel.

  1. Downloading and installing FSSO agent in the LDAP server
  2. Registering the LDAP server on the FortiGate
  3. Configuring Single Sign-On on the FortiGate
  4. Importing LDAP users
  5. Creating the SSL VPN user group
  6. Creating the SSL address range
  7. Configuring the SSL VPN tunnel
  8. Creating security policies
  9. Results


  1. Downloading and installing FSSO agent in the LDAP server

The current Forti OS version which we are using in our firewall is 5.2.5 build 701 (shown below)

Forti OS version.JPG

Download and install FSSO client on your Domain Controller, find a download link here:


Accept the license and follow the Wizard. Enter the Windows AD administrator password.


Click Next, select the Advanced Access method


In the Collector Agent IP address field, enter the IP address of the Windows AD server.


Select the domain you wish to monitor.


Next, select the users you do not wish to monitor.


Under Working Mode, select DC Agent mode.


Reboot the Domain Controller.


Upon reboot, the collector agent will start up.

You can choose to Require authenticated connection from FortiGate and set a Password.


2. Registering the LDAP server on the FortiGate

Go to User & Device > Authentication > LDAP Servers to configure the LDAP server.


3.  Configuring Single Sign-On on the FortiGate

Go to User & Device > Authentication > Single Sign-On and create a new SSO server.

Under Groups tab, select the user groups to be monitored. In this example, “FortiOS Writers” group is used.


4.  Importing LDAP users

Go to User & Device > User > User Definition, and create a new user, selecting Remote LDAP User.

Choose your LDAP Server from the dropdown list.

You will be presented with a list of user accounts, filtered by the LDAP Filter to include only common user classes.


5.  Creating the SSL VPN user group

Go to User & Device > User > User Groups to create a new FSSO user group.


6.  Creating the SSL address range

Go to Policy & Objects > Objects > Addresses, and create a new address.

Set the Type to IP Range, and in the Subnet/IP Range field, enter the range of addresses you want to assign to SSL VPN clients. Select Any as the Interface.

Then create another Address for each Subnet or IP Range within your internal network to which remote users will connect.


7.  Configuring the SSL VPN tunnel

Go to VPN > SSL > Portals and create the full-access portal or edit the full-access portal


Source IP pools > select from the drop down menu > SSL address range created above (point#6)

Go to VPN > SSL > Settings.

Under Connection Settings set Listen on Port to 443.


Under Authentication/Portal Mapping, select Create New.


Assign the LDAP group user group to the full-access portal

8.  Creating security policies

Go to Policy & Objects > Policy >  IPv4 and create an ssl.root – wan1 policy.


9.  Results

Click on  VPN client > Select SSl-VPN > click on New VPN > Give Connection Name

Type the IP Address of Remote Gateway ( WAN IP Address)

Click customize the port( default port# 443)

Click on Do not Warn Invalid Server Certificate

Click > Apply and close


Open the Forticlient >


Type your LDAP credentials and click on Connect.

That’s it.

Happy Browsing!!

Check this video for detailed information about installation,

 source: FortiGate

AIR-GAPPED Computers

AIR-GAPPED Computers

HOW DO YOU remotely hack a computer that is not connected to the internet? Most of the time you can’t, which is why so-called air-gapped computers are considered more secure than others.

Air-gap refers to computers or networks that are not connected directly to the internet or to any other computers that are connected to the internet.

The name arises from the technique of creating a network that is physically separated (with a conceptual air gap) from all other networks.

Air gaps generally are implemented where the system or network requires extra security, such as classified military networks, the payment networks that process credit and debit card transactions for retailers, or industrial control systems that operate critical infrastructure. To maintain security, payment and industrial control systems should only be on internal networks that are not connected to the company’s business network, thus preventing intruders from entering the corporate network through the internet and working their way to sensitive systems.

A true air gap means the machine or network is physically isolated from the internet, and data can only pass to it via a USB flash drive, other removable media, or a firewire connecting two computers directly. But many companies insist that a network or system is sufficiently air-gapped even if it is only separated from other computers or networks by a software firewall. Such firewalls, however, can be breached if the code has security holes or if the firewalls are configured insecurely.

Although air-gapped systems were believed to be more secure in the past, since they required an attacker to have physical access to breach them, recent attacks involving malware that spread via infected USB flash drives have shown the lie to this belief. One of the most famous cases involving the infection of an air-gapped system is Stuxnet, the virus/worm designed to sabotage centrifuges used at a uranium enrichment plant in Iran. Computer systems controlling the centrifuges were air-gapped, so the attackers designed Stuxnet to spread surreptitiously via USB flash drives. Outside contractors responsible for programming the systems in Iran were infected first and then became unwitting carriers for the malware when they brought their laptops into the plant and transferred data to the air-gapped systems with a flash drive.


The techniques of hacking air gap computers include:

  • AirHopper that turns a computer’s video card into an FM transmitter to capture keystrokes;
  • BitWhisper that relies on heat exchange between two computer systems to stealthily siphon passwords or security keys;



Researchers in Israel showed how they could siphon data from an air-gapped machine using radio frequency signals and a nearby mobile phone. The proof-of-concept hack involves radio signals generated and transmitted by an infected machine’s video card, which are used to send passwords and other data over the air to the FM radio receiver in a mobile phone.

The method is more than just a concept, however, to the NSA. The spy agency has reportedly been using a more sophisticated version of this technique for years to siphon data from air-gapped machines in Iran and elsewhere. Using an NSA hardware implant called the Cottonmouth-I, which comes with a tiny embedded transceiver, the spy agency can extract data from targeted systems via RF signals and transmit it to a briefcase-sized NSA relay station up to eight miles away.

  • Stealing the secret cryptographic key from an air-gapped computer placed in another room using a Side-Channel Attack.This is the first time when such attack have successfully targeted computer running Elliptic Curve Cryptography (ECC).

Elliptic Curve Cryptography is a robust key exchange algorithm that is most widely used in everything from securing websites to messages with Transport Layer Security (TLS).

Source: thehackernews,

Interesting Facts About Bitcoin and Blockchain

Bitcoin is a cryptocurrency, but the blockchain protocol behind it can be used for a variety of non-currency purposes. people are using the blockchain to develop everything from ride-sharingservices to voting applications to cloud storage. Let’s take a closer look at how the blockchain protocol works and how it’s being used.

The most exciting thing about Bitcoin is not Bitcoin at all.People at who is hosting this have created an interesting infographic regarding Blockchain and Bitcoin in general.


Source: securityzapwhoishostingthis

File System Check Error in FortiGate

File System Check Error in FortiGate 5.2.3 and above

In FortiOS 5.2 patch3, the file system check dialogue was introduced in the GUI and it offers the options to restart the unit and perform a file system check or, if desired, to be reminded later for performing the action in a maintenance window.

FortiGate error

File System check is a feature that is checking if the device was not shutdown properly. It will do a disk scan when the system boots up to avoid any potential file system errors.  In fact, if the unit was shut down without using the proper command (#execute shutdown), during the booting sequence, the FortiGate will check internal files for this log event and, if it cannot find it, the message will be shown.

This behavior is by design and there is no option to disable this message.

The message should no longer be seen once the following actions have been completed:

– Check of the file system.
– Reboot of the device.