Best Practices for syncing multiple Google Cloud Directory Domains in PaperCut MF/NG
Google Cloud Directory (GCD) multi-domain support for PaperCut MF/NG allows you to sync users from multiple Google Cloud Directory domains. This is handy for environments like school networks, large organizations with multiple business units, or anywhere else that you’re dealing with multiple domains under the one PaperCut installation.
For example, you might have several subdomains operating under your main domain; portland.papercut.com, bracknell.papercut.com, and melbourne.papercut.com. Or you might have multiple completely distinct brands operating under the one installation; papercut.com, papercutcafe.com, papercutsecondaryschool.com.
If you have only two domains and expect things to stay that way, you may not need multi-domain support at all. You can use our primary and secondary sync sources for each of your two domains.
This article contains tips, tricks, and gotchas when syncing from multiple Google Cloud Directory domains.
You can find our Google Cloud Directory Multi-Domain setup guide in the MF/NG manual from 21.0, here.
To ensure usernames are unique, when syncing with multi-domain environments PaperCut MF/NG adds the email domain to the username. If you’re implementing multi-domain support in PaperCut for an existing installation we need to migrate from short-form usernames (e.g. jsmith) to email addresses (e.g. firstname.lastname@example.org). There’s a couple of things you can do to make username migration easier.
1. Backup your database
If you’re updating all your usernames you’ll want to be able to recover your previous state if anything goes wrong. We’d recommend backing up your database before you begin.
2. Turn off on-demand User Creation
After the migration, all usernames will be in a username/email format, but will your users know that? If users continue to identify themselves using the pre-migration username format, they will appear to be new users to your PaperCut database. It’s best to turn off on-demand user creation before you start your migration until you’ve had a chance to ensure your users are using the correct username.
3. Automate username migration
Usernames can be updated using server commands. The great thing about server commands is that they can be run individually or batched together in a script. Running one script can save you hours of manual updates. Your PaperCut Partner (Authorized Solutions Center or Reseller) may be able to assist with this step if hands-on technical assistance is required.
Groups, like usernames, are not globally unique in their short form. Once you sync from several domains you might start to see group name duplication. To prevent this we notify you when you add your second domain and ask you to convert your groups. We can do this automatically for you if you click the “Convert Groups” confirmation button.
There is a 50 character limit on usernames in PaperCut. Usernames above this length will not be imported into PaperCut MF/NG.
In most cases, the 50 character limit is more than adequate and is larger than the username limit on some directories. But when we start using email addresses, particularly in conjunction with sub-domains, the limit starts to look a little less generous. “jonathan.smith” is a 14 character username but “email@example.com” is 37 characters, which is nearing our fifty character limit already.
Before implementing multi-domain for GCD, compare your longest usernames and domain names and also consider how this limit might affect your users and domains in the future.
We do not have a limit on the number of domains you can import (though it’s worth noting adding more domains will mean longer synchronization times). We do however have a 1,000 character limit on the domain input field. This limit can effectively be increased to 2,000 characters by taking advantage of the secondary sync source option.
While setting up user/group sync in PaperCut MF/NG, you can limit which users to import by their group membership - under “Step 4 - Select users to import”. If you choose to only import users from selected groups, your users will need to meet three criteria to be imported:
- They must be a member of one of the selected domains.
- They must be a member of one of the selected groups.
- They must share a domain with the group they belong to.
The first and second points are straightforward, but the third is a bit trickier. The domain part of your email address must match the domain part of your group to be imported. However, that can cause problems in environments such as school networks.
For example, you might have a privileged permission group for particular students at each school, or you might save on maintenance by putting all students in a group hosted on a single domain. Unfortunately, this means that if you are using that group as a synchronization filter, some students will not be imported.
Categories: User Management
Keywords: Google Cloud Directory, Multi-domain, Multiple domains, UPN