This article describes how to configure Google Secure LDAP in the Rublon Authentication Proxy as an authentication source for LDAP and RADIUS Proxies. This setup allows organizations to enforce multi-factor authentication (MFA) for VPNs and other RADIUS‑ or LDAP‑compatible services, using Google Workspace / Google Cloud Identity as the Identity Provider (IdP).
Rublon Authentication Proxy Supports Google Secure LDAP as Authentication Source
Starting with version 3.9.2, Rublon Authentication Proxy supports Google Secure LDAP as an authentication source. Google Secure LDAP is not a separate proxy server type. Instead, it is configured as an LDAP authentication source with a few additional settings required for TLS hostname verification and mutual TLS (mTLS).
Full Step-by-Step Rublon Authentication Proxy Configuration Instructions
The following articles explain how to configure all sections in the Rublon Authentication Proxy’s configuration file, with a special focus on the proxy_servers section. In contrast, this article focuses only on the part that is specific to configuring Google Secure LDAP as an auth_source.
If you are looking for full instructions on configuring the Rublon Authentication Proxy as an LDAP or RADIUS proxy server, refer to our dedicated guides:
- Configuring the Rublon Authentication Proxy as an LDAP Proxy Server
- Configuring the Rublon Authentication Proxy as a RADIUS Proxy Server
tl;dr: Why This Article Exists
The Rublon Authentication Proxy separates the proxy role (type: LDAP or type: RADIUS) from the auth_source. As a special kind of LDAP authentication source, Google Secure LDAP can be used as the authentication source for both RADIUS and LDAP Proxy Servers. The only difference is that, contrary to other LDAP authentication sources like Active Directory, Google Secure LDAP uses a few additional parameters:
- client_cert_path
- client_pkey_path
- client_pkey_password
- client_p12_path
- client_p12_password
- tls_verify_hostname
How Google Secure LDAP Fits into Rublon Authentication Proxy
In Rublon Authentication Proxy, Google Secure LDAP is configured under the auth_sources section as:
type: LDAPThis means you do not create a new kind of proxy server for Google Secure LDAP. Instead, you define an LDAP authentication source that points to Google Secure LDAP and then reference that source in one or more entries under proxy_servers.
Example Configuration: Google Secure LDAP as Auth Source in RADIUS and LDAP Proxy
Below is an example config.yaml file that shows how to configure Google Secure LDAP as an LDAP authentication source in Rublon Authentication Proxy, and then use that authentication source in both:
- an LDAP Proxy Server
- a RADIUS Proxy Server
This configuration reflects a model in which Google Secure LDAP is defined under auth_sources as type: LDAP, and then referenced by one or more entries in proxy_servers.
global:
secret_source: plain # Options: plain, env, vault
log:
debug: true
rublon:
api_server: https://core.rublon.net
system_token: YOUR_SYSTEM_TOKEN
secret_key: YOUR_SECRET_KEY
proxy_servers:
- name: LDAP-Proxy
type: LDAP
ip: 0.0.0.0
port: 636
transport_type: ssl
auth_source: GOOGLE_LDAP
auth_method: push,email
cert_path: /opt/rublonauthproxy/certy/rublon.crt
pkey_path: /opt/rublonauthproxy/certy/rublon.key
- name: RADIUS-Proxy
type: RADIUS
radius_secret: YOUR_RADIUS_SECRET
ip: 0.0.0.0
port: 1812
mode: standard
auth_source: GOOGLE_LDAP
auth_method: push
force_message_authenticator: false
auth_sources:
- name: GOOGLE_LDAP
type: LDAP
ip: ldap.google.com
port: 636
transport_type: ssl
search_dn: dc=example,dc=com
username_attribute: uid
access_user_dn: CN=YOUR_GOOGLE_SECURE_LDAP_BIND_USER
access_user_password: YOUR_GOOGLE_SECURE_LDAP_BIND_PASSWORD
ca_certs_dir_path: /opt/rublonauthproxy/config/ca_cert
client_cert_path: /opt/rublonauthproxy/config/google_ldap_certs/client_cert.pem
client_pkey_path: /opt/rublonauthproxy/config/google_ldap_certs/client_key.pem
client_pkey_password:
tls_verify_hostname: ldap.google.comWhat Each LDAP Auth Source Value Means
So, we have defined a new authentication source as follows:
auth_sources:
- name: GOOGLE_LDAP
type: LDAP
ip: ldap.google.com
port: 636
transport_type: ssl
search_dn: dc=example,dc=com
username_attribute: uid
access_user_dn: CN=YOUR_GOOGLE_SECURE_LDAP_BIND_USER
access_user_password: YOUR_GOOGLE_SECURE_LDAP_BIND_PASSWORD
ca_certs_dir_path: /opt/rublonauthproxy/config/ca_cert
client_cert_path: /opt/rublonauthproxy/config/google_ldap_certs/client_cert.pem
client_pkey_path: /opt/rublonauthproxy/config/google_ldap_certs/client_key.pem
client_pkey_password:
tls_verify_hostname: ldap.google.comBut what’s the meaning of each of these options? Check the table below to learn what and why has been set in this example.
| name | Enter a name for your Google Secure LDAP server, e.g., GOOGLE_LDAP. |
| type | Enter LDAP because Google Secure LDAP uses this protocol. |
| ip | Enter ldap.google.com. Every organization in Google Secure LDAP uses this hostname. There are no per‑tenant dedicated IP addresses or hostnames. |
| port | Enter 636 because Google Secure LDAP always uses LDAPS (TLS‑encrypted LDAP on port 636). |
| transport_type | Enter ssl because Google Secure LDAP always uses LDAPS (TLS‑encrypted LDAP on port 636). |
| search_dn | This defines where in the Google Directory tree your LDAP queries should start. Enter your Google Workspace domain in LDAP format, for example: If your domain is: mycompany.cloud.example.com Then enter: dc=mycompany,dc=cloud,dc=example,dc=com. |
| username_attribute | Enter uid because this is the standard LDAP username attribute used by Google Secure LDAP to identify users. |
| access_user_dn | This is the full Bind DN of the service account used to authenticate and perform LDAP searches in Google Secure LDAP. This DN is case‑insensitive and must correspond to the LDAP service account created in the Google Admin Console under Directory → Secure LDAP. Google automatically generates this DN when you create a Secure LDAP client, for example: CN=ldap-client-12345,OU=Users,DC=example,DC=com We recommend creating a dedicated Secure LDAP client for this integration and using the Bind DN provided by Google after its creation. This client should have read‑only access and be used only for LDAP searches. |
| access_user_password | Enter the password assigned to the Secure LDAP client in the Google Admin Console you have just created. |
| ca_certs_dir_path | The directory containing CA certificates that the Rublon Authentication Proxy should trust when establishing the LDAPS connection to Google Secure LDAP. Google Secure LDAP uses LDAPS on port 636, so the Rublon Authentication Proxy must trust the certificate chain used by ldap.google.com. Place the required CA certificates (in .pem format, one per file) in this directory. You can extract the CA chain using: openssl s_client -connect ldap.google.com:636 -showcerts For more information, refer to LDAP source settings. |
| client_cert_path | Enter the path to the client certificate (.pem) downloaded from the Google Admin Console. Use the file exactly as provided by Google, without modification. See Where to find the Google Secure LDAP client certificate. |
| client_pkey_path | Enter the path to the client private key (.pem) downloaded from the Google Admin Console. Use the file exactly as provided by Google, without modification. See Where to find the Google Secure LDAP client certificate. |
| client_pkey_password | Password for the private key, if it is encrypted. Google Secure LDAP private keys are not encrypted, so this field is normally left empty. |
| tls_verify_hostname | Enter ldap.google.com because this is required for certificate validation. |
Two Ways of Providing Google Secure LDAP Client Certificates
Rublon Authentication Proxy supports two ways of providing the Google Secure LDAP client certificate:
- 1) PEM certificate + PEM private key (recommended): This is the simplest method. Google Secure LDAP provides both files directly in PEM format, and you can reference them using client_cert_path and client_pkey_path without any conversion.
- 2) PKCS#12 file (.p12): This is an alternative for environments that prefer or require a single encrypted PKCS#12 bundle. It requires combining the PEM certificate and key into a .p12 file using OpenSSL or XCA. Use this only if needed.
Where to find the Google Secure LDAP client certificate
Whether you plan to use the PEM files directly or create a PKCS#12 bundle, you must first download the Google Secure LDAP client certificate and private key from the Google Admin Console.
1. Go to Google Admin Console → Directory → Secure LDAP.
2. Select your Secure LDAP client.
3. Scroll to the Certificates section.
4. Download:
- Client certificate (.pem)
- Private key (.pem)
5. You will now have two files:
- client_cert.pem
- client_key.pem
6. You can either use these PEM files directly with client_cert_path and client_pkey_path or combine them into a .p12 file if you prefer to use PKCS#12.
Optional: Using PKCS#12 Instead of PEM Certificate and Key Files
This is an alternative specifically for Google Secure LDAP. This is not an alternative to the rest of the LDAP source settings. Use either the PEM pair (client_cert_path + client_pkey_path) or PKCS#12 (client_p12_path), but not both.
Instead of using:
- client_cert_path
- client_pkey_path
and, if required:
- client_pkey_password
You can provide the client certificate and private key as a single PKCS#12 file:
- client_p12_path
- client_p12_password
| client_p12_path | Enter the path to the .p12 file containing the client certificate and private key used to authenticate to Google Secure LDAP. Download the certificate and key from the Google Admin Console (see Where to find the Google Secure LDAP client certificate) and combine them into a .p12 file using OpenSSL or XCA (see Using PKCS#12 Instead of PEM Certificate and Key Files). If your tool generates a .pfx file, rename it to .p12. |
| client_p12_password | The password used to protect the .p12 file. |
So the whole auth_source config looks like this:
auth_sources:
- name: GOOGLE_LDAP
type: LDAP
ip: ldap.google.com
port: 636
transport_type: ssl
search_dn: dc=example,dc=com
username_attribute: uid
access_user_dn: CN=YOUR_GOOGLE_SECURE_LDAP_BIND_USER
access_user_password: YOUR_GOOGLE_SECURE_LDAP_BIND_PASSWORD
ca_certs_dir_path: /opt/rublonauthproxy/config/ca_cert
client_p12_path: /opt/rublonauthproxy/config/google_ldap_certs/google-secure-ldap-client.p12
client_p12_password: YOUR_P12_PASSWORD
tls_verify_hostname: ldap.google.comOptional: How to create the .p12 file (OpenSSL or XCA)
If you choose to use the PKCS#12 certificate, you must combine client_cert.pem and client_key.pem downloaded from the Google Admin Console into a single .p12 file. If you are using the PEM pair as is, you can skip this section entirely.
Linux / macOS (OpenSSL)
Use the following command:
openssl pkcs12 -export \
-in client_cert.pem \
-inkey client_key.pem \
-out client.p12 \
-name "google-ldap-client"You will be asked to set a password. Note it down because this is the password you must set in client_p12_password.
This command directly creates a valid .p12 file, so you can use this file’s path in client_p12_path.
Windows (XCA)
1. Install XCA
2. Import:
- client_cert.pem → Certificates
- client_key.pem → Private Keys
3. Export as PKCS#12 (.pfx)
4. Set a password (this becomes client_p12_password, so note it down).
5. Rename the file, changing its extension from .pfx to .p12.
Summary
The bottom line is that Google Secure LDAP is configured as an LDAP authentication source, not as a separate proxy server type, which means the same auth_source can be used by both LDAP and RADIUS Proxy Servers. The main difference compared to a standard LDAP authentication source is that Google Secure LDAP requires a few additional TLS-related settings, such as tls_verify_hostname and either client_cert_path with client_pkey_path or client_p12_path with client_p12_password.
Learn More
For the complete list of LDAP source settings, see the Rublon Authentication Proxy documentation.
For full instructions on configuring Rublon Authentication Proxy as an LDAP Proxy Server or RADIUS Proxy Server, refer to:
- Configuring the Rublon Authentication Proxy as an LDAP Proxy Server
- Configuring the Rublon Authentication Proxy as a RADIUS Proxy Server
To learn more about LDAPS certificates in the Rublon Authentication Proxy, check How to set up LDAPS certificates in the Rublon Authentication Proxy?.