[Freeipa-users] Password Attribute Syncing Support

Walter Meyer wgmeyer at gmail.com
Fri Mar 19 20:33:59 UTC 2010 

Google Apps uses its own user database, as of now there is no way to direct
it to a backend one, so the only option is to sync with the Google Apps
database.

On Fri, Mar 19, 2010 at 4:28 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> Dmitri Pal wrote:
>
>> Walter Meyer wrote:
>>
>>> We would be using Google Apps for our email system (and other services
>>> included with GA like Google Docs etc.) I'd like to have one password
>>> for users when they access their email via Google Apps, ideally the
>>> users and passwords would be centralized in IPA.
>>>
>>> According to the Google documentation they only support updating user
>>> passwords with the utility or through the API's that are encoded in
>>> MD5, SHA1, or clear text.
>>>
>>> Another option I have considered is implementing a SSO solution like
>>> Shibboleth (integrated with IPA) and having users login to their email
>>> and other Google Apps services using that, as Google Apps supports
>>> SAML. But the SAML SSO solution wouldn't work with IMAP and users
>>> would have to maintain a separate password for this. Yet another
>>> option would be to write a web app that would send a password change
>>> simultaneously to Google Apps via their API's and to the IPA server,
>>> so the passwords would be the same as long as the end-user only used
>>> the web app to change their password.
>>>
>>>
>>> http://code.google.com/googleapps/domain/gdata_provisioning_api_v2.0_reference.html
>>>
>>> So my goal is to have one password for Directory Services (IPA) and
>>> Google Apps services if possible.
>>>
>>>  I wonder if it would be better to take advantage of the passync utility
>> provided by DS to replicate passwords and update them in the external
>> source.
>>
>
> passsync is for syncing passwords with Active Directory.
>
>
>  Can Google Apps use a local DS instance as a back end?
>> This way the IPA can be set up to update passwords in this instance via
>> passync using of the shelf utilities provided by DS.
>>
>
> If they could use DS as a local backend then could just authenticate
> directly against the IPA LDAP server.
>
> rob
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20100319/82c3f565/attachment.htm>

More information about the Freeipa-users mailing list