1 / 21

Synchronize Google Apps Passwords with eDirectory for FREE!!

Synchronize Google Apps Passwords with eDirectory for FREE!!. Brad Rodgers & Matt Schlawin. Background. Google provides a free tool to synchronize Apps accounts with LDAP Google Apps Directory Synchronizer (GADS) GADS can sync passwords if passwords are stored as plaintext, MD5, or SHA1

chinue
Download Presentation

Synchronize Google Apps Passwords with eDirectory for FREE!!

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Synchronize Google Apps Passwords with eDirectory for FREE!! Brad Rodgers & Matt Schlawin

  2. Background • Google provides a free tool to synchronize Apps accounts with LDAP • Google Apps Directory Synchronizer (GADS) • GADS can sync passwords if passwords are stored as plaintext, MD5, or SHA1 • GADS cannot sync eDir or Active Directory passwords natively • Commercial products available to sync eDir & AD passwords • Novell users can use a free script to sync passwords to Google

  3. What is gadspwsync? • gadspwsync is a Linux bash script utilizing open source tools and Novell Cool Tools • gadspwsync retrieves the eDir password, SHA1 hashes it & stores the hash in an unused eDir attribute • Requires SLES, Universal Password, getpass Cool Tool, OpenLDAPUtils, OpenSSL, GADS

  4. How gadspwsync operates • Retrieves a user’s password as a SHA1 hash with getpass Cool Tool. • Reads the eDir attribute used for GADS passwords. • Compares eDir password hash with GADS password hash. • If different or GADS password is blank, it writes the eDir hash to the attribute. • Repeat steps 1-3 for other users. • Launches GADS to sync with Google.

  5. Configuring gadspwsync • Configure a Universal Password policy for the users being synced with Google Apps.More information about configuring Universal Password can be found at http://www.novell.com/documentation/password_management33/.

  6. Configuring gadspwsync • Download getpass 2.1 from Novell’s Cool Tools website. Install and configure getpass and its prerequisites per the included documentation.getpass 2.1 can be found at http://www.novell.com/communities/node/11696/getpass-21-universal-password-retrieval-utilityupdated.

  7. Configuring gadspwsync • Install OpenLDAP2 Client Utilities and OpenSSL using YaST Software Management (if not already installed). • Install Google Apps Directory Sync.

  8. Configuring gadspwsync • Edit the /etc/openldap/ldap.conf file setting the following variables:HOST FQDN or IP Address of LDAP host PORT LDAP host port numberConditional: If the LDAP host requires secure bind (ldaps), see the gadspwsync documentation for more info.

  9. Configuring gadspwsync • Create an eDirectory user (GADSPWSync in this example) and assign it a password. Assign this user the following rights at the tree level:NOTE: The carLicenseeDir attribute is used for the GADS password hashes. A different attribute may be used.

  10. Configuring gadspwsync • Edit the Universal Password policy assigned to the users granting the GADSPWSync user the right to retrieve users’ passwords:

  11. Configuring gadspwsync • Extract the gadspwsync script and its supporting files to a directory on the GADS server (/gadspwsync for example). • Edit the /gadspwsync/contexts.txt file. List the contexts to be searched for users listing one context per line. Contexts should be listed in LDAP format.

  12. Edit the /gadspwsync/gadspwsync.shscript file. Adjust the following variables to suite the environment: • SCRIPTPATH – Path to the script • CONTEXTSFILE – File, including path, listing eDirectory contexts to search • LDAPSCOPE – Specify “one” or “sub” to search sub OUs or not • LDAPHOST – FQDN or IP address of LDAP server • LDAPURI – LDAP URI to LDAP server (ldap://LDAPserver or ldaps://LDAPserver) • LDAPBINDDN – Username, including context, for GADSPWSync user • LDAPPASSWD – GADSPWSync user password • GETPASS – Location of Getpass 2.1 Cool Tool • LDAPATTRIB – eDirectory attribute used to store hashed passwords for GADS • GADSCMD – Full path to the GADS sync-cmd • GADSCONF – Full path to GADS configuration file

  13. Configuring gadspwsync • Set the permissions on the /gadspwsync/gadspwsync.sh script file so that only the root user can read the file. From the terminal prompt: chownroot:root /gadspwsync/gadspwsync.sh chmod 700 /gadspwsync/gadspwsync.sh

  14. Configure Google Apps Directory Sync per Google’s documentation. Set the Password Attribute field to the selected eDirectory attribute for storing hashed passwords (carLicense for example).

  15. Configuring gadspwsync • Schedule gadspwsync.sh to run on a scheduled basis to synchronize with Google. Because gadspwsync.sh calls GADS at the end of the script it is not necessary to call GADS separately. Edit the /etc/crontab file and add a similar entry (example runs daily at 3:30am): 30 3 * * * root /gadspwsync/gadspwsync.sh >/dev/null 2>&1

  16. Running Multiple GADS Configs • Locate the following lines at the end of the script: # Exit script and run Google Apps Directory Sync exit & $GADSCMD -a -c $GADSCONF • Replace the above lines with something similar to match your environment: # Run Google Apps Directory Sync for teachers $GADSCMD –a –c /opt/GoogleAppsDirSync/teachers.xml sleep 30 #Exit script and run Google Apps Directory Sync for students exit & $GADSCMD -a –o -c /opt/GoogleAppsDirSync/students.xml • Delete lines 35 & 36 near the start of the script: # Full path to GADS configuration file GADSCONF="/gadspwsync/DigitalAirlines.xml"

  17. Notes about gadspwsync • Free – uses open source software • Does not rename Google accounts with username changes – limitation of GADS • In some trees [Public] can read all attributes exposing the SHA1 hash – test tree with LDAP browser and fix rights as needed • A password is stored unencrypted in the script config file – lock config only readable by root & the password of limited user

  18. GADS Config Notes • LDAP Connection • Base DN – typically the Org (o=CESA7) • LDAP User Attribute • Server Type = Other • Email Address Attribute = mail • LDAP Extended Attributes • Given Name Attrib = givenName • Family Name Attrib = sn

  19. Demo

  20. What’s on the CD? • gadspwsync Script • gadspwsync Documentation • This PowerPoint • Universal Password Documentation • getpass Cool Tool • Google Apps Directory Sync • GADS Documentation

  21. Questions?

More Related