C.0 Appendix – Common Driver Issues

Table C-1 Common Driver Issues

Issue

Example and Notes

User Placement. Do not use a leading "\" to place users or Organization Units.

To place a user in the root container, the dest-dn should only contain the Username. If you are placing a user in the google Sales\Marketing container your dest-dn should look like:

<add class-name="User" dest-dn="Sales\Marketing\myname"/>

Organization Units use the same format for dest-dn.

Group Placement: Do not use a placement rule on groups as Google does not support placing groups in organizations.

Groups are not kept in a hierarchical structure. Placement is not relevant to group objects.

Unique naming: It is important that Nicknames, Group names and usernames be unique in the G Suite domain.

When developing a matching rule be sure to check for nicknames and usernames to ensure proper matching. Further, naming must be unique across all Google Organization units. It is not legal to have Sales\Marketing\myname and Engineering\myname since myname needs to be unique across the domain.

Driver Unable to Start

  1. Are the driver jar files installed and eDirectory restarted?

  2. Have you created the admin account in Google and logged into the web interface at least once?

  3. Examine a level 3 or higher trace log of the driver start up for errors.

Driver Exceeds Quota on requests to specific services.

Google has specific default quotas defined for the various services the driver uses. The quotas limit the total number of requests allowed in a given 24-hour period. Once these quotas are exceeded the driver will receive an HTTP 403: Forbidden error. Read about quotas and how to resolve this issue in Appendix D – Google API Quotas.

Token Response Exception when using Gmail Settings Attributes

The trace will show something like this: 

DirXML Log Event -------------------

Driver: \GLOBAL-DOMINATION\system\driverset1\Google Apps

Status: Fatal

Message: <description>com.google.api.client.auth.oauth2. TokenResponseException: 401 Unauthorized</description>

<exception class-name= "com.google.api.client.auth.oauth2. TokenResponseException">

<message>401 Unauthorized</message>

</exception>

This error is due to not authorizing the new Gmail scopes within the Security section of your G Suite domain. For more information, see the OAuth Guide and reset the authorized scopes for the service account.

GoogleJsonResponseException error 403 forbidden when accessing Gmail Settings attributes

The trace will show something like this: 

<status level="retry" type="app-connection">

<description>IOException: com.google.api.client.googleapis.json. GoogleJsonResponseException: 403 Forbidden

{

"code" : 403,

"errors" : [ {

"domain" : "usageLimits",

"message" : "Access Not Configured. Gmail API has not been used in project 1233 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/gmail.googleapis.com/overview?project=1233 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.",

"reason" : "accessNotConfigured",

The Gmail API has not been enabled for your G Suite domain. Enable it in your service account's developers console project.