[Freeipa-users] Password Attribute Syncing Support

Simo Sorce ssorce at redhat.com
Fri Mar 19 18:06:12 UTC 2010


On Thu, 18 Mar 2010 19:47:35 -0400
Walter Meyer <wgmeyer at gmail.com> wrote:

> Sorry I should have linked to the manual for it:
> http://www.postini.com/webdocs/gads/admin
> 
> The Google Apps utility actually syncs passwords from LDAP to Google
> Apps, not the other way around. The manual says that the utility
> supports password attributes in MD5, SHA1, or Clear Text. So I am
> wondering how they are stored in the IPA DS.

By default we use Salted SHA (SSHA) for the userPassword attribute.
You can change it by changing the passwordStorageScheme attribute (see
chapter 7 of the directory server guide), but you will probably have to
perform a password change for each user that needs synchronization if
you already have passwords set, because the hash can be changed only
when the clear text password is available.

I have to say though that MD5/SHA1 are considered weak today, esp MD5.

Also you should make sure you understand the implication of exposing
your internal passwords over the network.

By using the same hash for google apps it means you users will send
their IPA password to google for authentication (hopefully over HTTPS)
so if someone can phish or mitm them they will have the right password
for both google apps *and* your company resources.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York




More information about the Freeipa-users mailing list