synchronize google apps passwords with edirectory for free n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Synchronize Google Apps Passwords with eDirectory for FREE!! PowerPoint Presentation
Download Presentation
Synchronize Google Apps Passwords with eDirectory for FREE!!

Loading in 2 Seconds...

play fullscreen
1 / 21

Synchronize Google Apps Passwords with eDirectory for FREE!! - PowerPoint PPT Presentation


  • 178 Views
  • Uploaded on

Synchronize Google Apps Passwords with eDirectory for FREE!!. Brad Rodgers & Matt Schlawin. Background. Google provides a free tool to synchronize Apps accounts with LDAP Google Apps Directory Synchronizer (GADS) GADS can sync passwords if passwords are stored as plaintext, MD5, or SHA1

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Synchronize Google Apps Passwords with eDirectory for FREE!!' - chinue


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
background
Background
  • Google provides a free tool to synchronize Apps accounts with LDAP
    • Google Apps Directory Synchronizer (GADS)
  • GADS can sync passwords if passwords are stored as plaintext, MD5, or SHA1
  • GADS cannot sync eDir or Active Directory passwords natively
  • Commercial products available to sync eDir & AD passwords
  • Novell users can use a free script to sync passwords to Google
what is gadspwsync
What is gadspwsync?
  • gadspwsync is a Linux bash script utilizing open source tools and Novell Cool Tools
  • gadspwsync retrieves the eDir password, SHA1 hashes it & stores the hash in an unused eDir attribute
  • Requires SLES, Universal Password, getpass Cool Tool, OpenLDAPUtils, OpenSSL, GADS
how gadspwsync operates
How gadspwsync operates
  • Retrieves a user’s password as a SHA1 hash with getpass Cool Tool.
  • Reads the eDir attribute used for GADS passwords.
  • Compares eDir password hash with GADS password hash.
    • If different or GADS password is blank, it writes the eDir hash to the attribute.
  • Repeat steps 1-3 for other users.
  • Launches GADS to sync with Google.
configuring gadspwsync
Configuring gadspwsync
  • Configure a Universal Password policy for the users being synced with Google Apps.More information about configuring Universal Password can be found at http://www.novell.com/documentation/password_management33/.
configuring gadspwsync1
Configuring gadspwsync
  • Download getpass 2.1 from Novell’s Cool Tools website. Install and configure getpass and its prerequisites per the included documentation.getpass 2.1 can be found at http://www.novell.com/communities/node/11696/getpass-21-universal-password-retrieval-utilityupdated.
configuring gadspwsync2
Configuring gadspwsync
  • Install OpenLDAP2 Client Utilities and OpenSSL using YaST Software Management (if not already installed).
  • Install Google Apps Directory Sync.
configuring gadspwsync3
Configuring gadspwsync
  • Edit the /etc/openldap/ldap.conf file setting the following variables:HOST FQDN or IP Address of LDAP host PORT LDAP host port numberConditional: If the LDAP host requires secure bind (ldaps), see the gadspwsync documentation for more info.
configuring gadspwsync4
Configuring gadspwsync
  • Create an eDirectory user (GADSPWSync in this example) and assign it a password. Assign this user the following rights at the tree level:NOTE: The carLicenseeDir attribute is used for the GADS password hashes. A different attribute may be used.
configuring gadspwsync5
Configuring gadspwsync
  • Edit the Universal Password policy assigned to the users granting the GADSPWSync user the right to retrieve users’ passwords:
configuring gadspwsync6
Configuring gadspwsync
  • Extract the gadspwsync script and its supporting files to a directory on the GADS server (/gadspwsync for example).
  • Edit the /gadspwsync/contexts.txt file. List the contexts to be searched for users listing one context per line. Contexts should be listed in LDAP format.
slide12

Edit the /gadspwsync/gadspwsync.shscript file. Adjust the following variables to suite the environment:

  • SCRIPTPATH – Path to the script
  • CONTEXTSFILE – File, including path, listing eDirectory contexts to search
  • LDAPSCOPE – Specify “one” or “sub” to search sub OUs or not
  • LDAPHOST – FQDN or IP address of LDAP server
  • LDAPURI – LDAP URI to LDAP server (ldap://LDAPserver or ldaps://LDAPserver)
  • LDAPBINDDN – Username, including context, for GADSPWSync user
  • LDAPPASSWD – GADSPWSync user password
  • GETPASS – Location of Getpass 2.1 Cool Tool
  • LDAPATTRIB – eDirectory attribute used to store hashed passwords for GADS
  • GADSCMD – Full path to the GADS sync-cmd
  • GADSCONF – Full path to GADS configuration file
configuring gadspwsync7
Configuring gadspwsync
  • Set the permissions on the /gadspwsync/gadspwsync.sh script file so that only the root user can read the file. From the terminal prompt:

chownroot:root /gadspwsync/gadspwsync.sh

chmod 700 /gadspwsync/gadspwsync.sh

slide14

Configure Google Apps Directory Sync per Google’s documentation. Set the Password Attribute field to the selected eDirectory attribute for storing hashed passwords (carLicense for example).

configuring gadspwsync8
Configuring gadspwsync
  • Schedule gadspwsync.sh to run on a scheduled basis to synchronize with Google. Because gadspwsync.sh calls GADS at the end of the script it is not necessary to call GADS separately. Edit the /etc/crontab file and add a similar entry (example runs daily at 3:30am):

30 3 * * * root /gadspwsync/gadspwsync.sh >/dev/null 2>&1

running multiple gads configs
Running Multiple GADS Configs
  • Locate the following lines at the end of the script:

# Exit script and run Google Apps Directory Sync

exit & $GADSCMD -a -c $GADSCONF

  • Replace the above lines with something similar to match your environment:

# Run Google Apps Directory Sync for teachers

$GADSCMD –a –c /opt/GoogleAppsDirSync/teachers.xml

sleep 30

#Exit script and run Google Apps Directory Sync for students

exit & $GADSCMD -a –o -c /opt/GoogleAppsDirSync/students.xml

  • Delete lines 35 & 36 near the start of the script:

# Full path to GADS configuration file

GADSCONF="/gadspwsync/DigitalAirlines.xml"

notes about gadspwsync
Notes about gadspwsync
  • Free – uses open source software
  • Does not rename Google accounts with username changes – limitation of GADS
  • In some trees [Public] can read all attributes exposing the SHA1 hash – test tree with LDAP browser and fix rights as needed
  • A password is stored unencrypted in the script config file – lock config only readable by root & the password of limited user
gads config notes
GADS Config Notes
  • LDAP Connection
    • Base DN – typically the Org (o=CESA7)
  • LDAP User Attribute
    • Server Type = Other
    • Email Address Attribute = mail
  • LDAP Extended Attributes
    • Given Name Attrib = givenName
    • Family Name Attrib = sn
what s on the cd
What’s on the CD?
  • gadspwsync Script
  • gadspwsync Documentation
  • This PowerPoint
  • Universal Password Documentation
  • getpass Cool Tool
  • Google Apps Directory Sync
  • GADS Documentation