Google Contacts and CardDAV

There are two potential protocols involved, LDAP and CardDAV, both of which are included in Exchange. But the protocols are open, so they’re available from many places.

Contacts primarily uses CardDAV* (developed mostly by Apple) for syncing. CardDAV is the most commonly available protocol from third party servers (gmail, fastmail, MS, …). It’s probably most common because it’s a good bit easier to manage than LDAP, and most people only want the contacts part anyway. I don’t know what most of the differences are compared to LDAP, or whether a third party CardDAV server would be more reliable than Apple’s; given Apple’s track record, it’s not impossible. But it’s likely that CardDAV just doesn’t support features that people want/expect. It’s also possible that some of the Contacts problems are part and parcel of the Contacts app, and using an app other than Contacts that supports CardDAV would work better for at least some features/people.

LDAP is a ‘lightweight’** flavor of the open DAP X.500 directory service. It does a lot more than just contacts, such as account privileges. IIRC it primarily pushes centralized data to clients. Apple forked OpenLDAP to produce Open Directory, which was included in mac server. There are many LDAP server and client implementations available, some proprietary, some open source.

Contacts (mac and ios) is a client for the contacts features, but not a server.

Not every LDAP client can talk to every server, because there are variables such as which authentication protocols are provided. But it should be possible to find an LDAP server account, or run your own server (not at all trivial), if you want to manage the data on the server, then push it to any subscribed Contacts.

• CalDAV is the protocol used for Calendar, also mostly developed by Apple.

** Having been mildly exposed to the mess that is LDAP, I don’t want to even read about full DAP. The people I’ve known who had to seriously deal with LDAP had interestingly expanded vocabularies.

The post by @gastropod got me curious about self-hosted CardDAV. Even though I’ve been running a Synology NAS drive for years, I never noticed that they offer a CardDAV server among their other services – just a few clicks and you have one on your home network. Presumably that would work well for a family.

You should note that several services offer multiple protocols. For instance, I found that the default Google account (on my iPhone) has problems with my Google contacts (things just didn’t seem to sync right, and not all of Google’s features were available). I therefore configure my devices to not sync contacts through my normal Google account (which I still use for mail, notes and calendar) and created a separate CardDAV account for my Google contacts.

If your contacts server (whatever it is) also offers multiple mechanisms, you might want to try something similar.

See also Use CardDAV To Sync Google / Gmail Contacts With iOS

Haha. X.500 is certainly a bit of an animal, but LDAP is not bad. It’s mostly a key-value data store. It can be used as a database for applications requiring rapid reads. I built an authentication system in the 90s based on it that is still in production today.

Worth reminding that MS adopted LDAP as the basis of Active Directory, which is ubiquitous in offices around the world.

In addition to problems syncing with my iPhone, I find that syncing Google Contacts with macOS (through at least 12.7.2 Monterey where I am stuck due to hardware limitations) also is not fully satisfactory.

And even a vCard export from Google Contact and subsequent import to Apple has known problems:

But you should see if you can use CardDAV for your Google contacts. That what I’ve been doing for years and it seems to work well. The default contact-sync protocol Apple tries to configure (LDAP, I think) just doesn’t seem to work as well.

According to the article I cited, and my own phone’s configuration, you should manually add a CardDAV account (via the “Other” option, not via the Google option). And configure it for:

• Server: google.com
• User name: Your Google account (your full GMail address)
• Password: Your Google account password
• Description: Whatever you like (I use “Google (CardDAV)”)

I tried adding Google Contacts via CardDAV to both my iPhone and iMac and both failed to verify my account, which is a G Suite Legacy account. Interestingly, the comments on the article that you cited refer to errors trying to verify a G Suite Basic account.

There are lots of internet posts by people whose CardDAV connections stopped working in the last few years so I think that this G Suite commonality is just a coincidence.

I suspect that the way to set up CardDAV is to use an “app password” as described in one of the answers to this question about CalDAV:

But Google seems to discourage doing so:

That may be necessary, since the CardDAV login probably can’t trigger an O-Auth2 2FA request.

I think I’m using an app password. It’s been so long I don’t really remember, but I know I set it up before there was any other option for getting an iPhone to connect to Google at all.

Yes, Google thinks app passwords are insecure. But no moreso than any other randomly-generated password. Keep it in a secure place (like your phone’s keychain) and don’t use it for anything else and you should be fine.

tldr:
A slight historical tangent, but the CalDAV spec was the work of a group, not just Apple. Notably the same person at Apple was involved with both CardDAV and CalDAV.

CardDAV is based on WebDAV/HTTP, which is more the transport and server spec, but uses the vCard format for the actual data.

Then CardDAV is probably my nemesis. Most cloud content on my Mac syncs smoothly. Contacts very frequently freezes after I’ve made some change, and only after 5-10s releases GUI control back to me. My feeling is that it begins syncing my changes and holds some semaphore to ensure data consistency by preventing me from touching anything during that time. Very annoying.

Part of the issue is, I think, the fact that changes to the Notes section of Contacts doesn’t require you to be in Edit mode or to Save. So perhaps it goes into sync mode every time you press a key? Not sure.

If syncing Contacts via CardDAV requires an “app-specific password” then perhaps the option of syncing via CardDAV is going away because apparently Google is removing support for Less Secure Apps, which includes:

all third-party apps that require password-only access … via protocols such as CalDAV, CardDAV, IMAP, SMTP, and POP.

“Less Secure Apps” are those that use your Google ID and password. An application-specific password is different and is not, as far as I can tell, going away at this time.

Off-topic in terms of Contacts, but following the discussion of signing into Google.

I’m feeling stupid for not understanding. Is Apple Mail, which uses my Google ID and password, a “Less Secure App”? Or does it use an application-specific password, since Mail is a single application? It seems like it would be the former, since the even though the password that Apple Mail uses is specific to it as far as it knows, that password (together with Google ID) could be used by another application to access anything in my Google account. Sorry for being dense.

If I’m correct that Mail is a “Less Secure App”, then it seems like my choices are to use “Sign in with Google” or stop using Google. And I did not understand Google’s explanation of “Sign in with Google” or OAuth in the context of Mail.

Google currently supports three (soon to be two) authentication methods.

“Less secure app” means you give the app your Google ID and your Google password. The app uses these as your login credentials. This is going away.

Google’s preferred mechanism is OAuth version 2. With this, if I remember correctly, your app asks Google for authentication. It receives a URL for a Google server. You log in there (so only the Google server sees your user ID and password) and after authentication, it sends the app a token/certificate identifying you. This certificate is used for subsequent logins until you log out or until Google revokes the certificate (e.g. if you log into your account and cancel the app’s login session).

As far as I know, Apple’s various Mail apps (on macOS and iOS) use OAuth.

Application specific passwords are a workaround to allow use of apps that don’t support OAuth, but without the app saving your Google password. Insead, you go to the Google web site and use it to generate an “app password”. This is a random password generated by Google that (supposedly) can only be used by a single app. After the first time it is displayed, you can never see it again. So you’d use your Google ID and that password to log in from your app. If you need to login from another app, generate a new app password for that app, etc.

From the web site, you can assign a name to each app password you generate (I recommend the name of the app and the name of the computer you’re using it on). You can see the list, with those names, but you can’t see the actual passwords. If you think an app has become compromised, you can delete the password it is using, without affecting your mail Google password or passwords used by other apps.

See also: Sign in with app passwords - Google Account Help

That’s great news, for me. Thanks.

In case anyone is following this thread, I’m posting this summary of how I worked around problems that I encountered while trying to establish syncing Google Contacts to macOS Contacts using CardDAV.

As @Shamino suspected, CardDAV requires an App Password. Unfortunately, App Passwords can not be created for a Google account unless the account uses 2-Step Verification, which you can turn on by following these instructions:

Once 2-Step Verification is turned on, follow these instructions, starting under the caption, “ Create & use app passwords”:

Steps 1-3 are easy. Unfortunately, Step 4 of the instructions says “At the bottom of the page, select App passwords” but I couldn’t see any such section.

Instead, after a bit of Googling, I found the App Passwords page here:

https://myaccount.google.com/apppasswords?

I used Google CardDAV for the App Name and saved the generated password in my password manager.

I’m running macOS 12.7.4 Monterrey and the following steps for connecting to Google Contacts via CardDAV using this App Password maybe somewhat different for other systems.

Open  → System Preferences → Internet Accounts and click on “Add Other Account …”

Internet Accounts1354×1018 138 KB

Click on CardDAV account:

Internet Account 21371×1030 140 KB

Select Account Type: Manual
Enter your

1. Google account (probably a Gmail address)
2. The App Password previously created
3. Server address (probably google.com)
   
   

   Account800×515 34.9 KB

Click Sign In, wait for your credentials to validate, and then you should see your App Name in the left-hand list of Internet Accounts:

App Name1365×1031 149 KB

Open the macOS Contacts application and soon your Google Contacts should start to trickle in and slowly populate under the areas labeled with your App Name:

Contacts1733×894 92.5 KB

It may take several hours for the initial sync to complete, depending on the number of contacts that you have.

UPDATE May 14, 2024

Here’s another tutorial along with some troubleshooting tips:

And this is an alterative GUI cardDAV editor:

https://inf-it.com/open-source/clients/carddavmate/