Synchronize Google Apps Passwords with eDirectory for FREE!!

1. Synchronize Google Apps Passwords with eDirectory for FREE!! Brad Rodgers & Matt Schlawin

2. Background • Google provides a free tool to synchronize Apps accounts with LDAP • Google Apps Directory Synchronizer (GADS) • GADS can sync passwords if passwords are stored as plaintext, MD5, or SHA1 • GADS cannot sync eDir or Active Directory passwords natively • Commercial products available to sync eDir & AD passwords • Novell users can use a free script to sync passwords to Google

3. What is gadspwsync? • gadspwsync is a Linux bash script utilizing open source tools and Novell Cool Tools • gadspwsync retrieves the eDir password, SHA1 hashes it & stores the hash in an unused eDir attribute • Requires SLES, Universal Password, getpass Cool Tool, OpenLDAPUtils, OpenSSL, GADS

4. How gadspwsync operates • Retrieves a user’s password as a SHA1 hash with getpass Cool Tool. • Reads the eDir attribute used for GADS passwords. • Compares eDir password hash with GADS password hash. • If different or GADS password is blank, it writes the eDir hash to the attribute. • Repeat steps 1-3 for other users. • Launches GADS to sync with Google.

5. Configuring gadspwsync • Configure a Universal Password policy for the users being synced with Google Apps.More information about configuring Universal Password can be found at http://www.novell.com/documentation/password_management33/.

6. Configuring gadspwsync • Download getpass 2.1 from Novell’s Cool Tools website. Install and configure getpass and its prerequisites per the included documentation.getpass 2.1 can be found at http://www.novell.com/communities/node/11696/getpass-21-universal-password-retrieval-utilityupdated.

7. Configuring gadspwsync • Install OpenLDAP2 Client Utilities and OpenSSL using YaST Software Management (if not already installed). • Install Google Apps Directory Sync.

8. Configuring gadspwsync • Edit the /etc/openldap/ldap.conf file setting the following variables:HOST FQDN or IP Address of LDAP host PORT LDAP host port numberConditional: If the LDAP host requires secure bind (ldaps), see the gadspwsync documentation for more info.

9. Configuring gadspwsync • Create an eDirectory user (GADSPWSync in this example) and assign it a password. Assign this user the following rights at the tree level:NOTE: The carLicenseeDir attribute is used for the GADS password hashes. A different attribute may be used.

10. Configuring gadspwsync • Edit the Universal Password policy assigned to the users granting the GADSPWSync user the right to retrieve users’ passwords:

11. Configuring gadspwsync • Extract the gadspwsync script and its supporting files to a directory on the GADS server (/gadspwsync for example). • Edit the /gadspwsync/contexts.txt file. List the contexts to be searched for users listing one context per line. Contexts should be listed in LDAP format.

12. Edit the /gadspwsync/gadspwsync.shscript file. Adjust the following variables to suite the environment: • SCRIPTPATH – Path to the script • CONTEXTSFILE – File, including path, listing eDirectory contexts to search • LDAPSCOPE – Specify “one” or “sub” to search sub OUs or not • LDAPHOST – FQDN or IP address of LDAP server • LDAPURI – LDAP URI to LDAP server (ldap://LDAPserver or ldaps://LDAPserver) • LDAPBINDDN – Username, including context, for GADSPWSync user • LDAPPASSWD – GADSPWSync user password • GETPASS – Location of Getpass 2.1 Cool Tool • LDAPATTRIB – eDirectory attribute used to store hashed passwords for GADS • GADSCMD – Full path to the GADS sync-cmd • GADSCONF – Full path to GADS configuration file

13. Configuring gadspwsync • Set the permissions on the /gadspwsync/gadspwsync.sh script file so that only the root user can read the file. From the terminal prompt: chownroot:root /gadspwsync/gadspwsync.sh chmod 700 /gadspwsync/gadspwsync.sh

14. Configure Google Apps Directory Sync per Google’s documentation. Set the Password Attribute field to the selected eDirectory attribute for storing hashed passwords (carLicense for example).

15. Configuring gadspwsync • Schedule gadspwsync.sh to run on a scheduled basis to synchronize with Google. Because gadspwsync.sh calls GADS at the end of the script it is not necessary to call GADS separately. Edit the /etc/crontab file and add a similar entry (example runs daily at 3:30am): 30 3 * * * root /gadspwsync/gadspwsync.sh >/dev/null 2>&1

16. Running Multiple GADS Configs • Locate the following lines at the end of the script: # Exit script and run Google Apps Directory Sync exit & $GADSCMD -a -c $GADSCONF • Replace the above lines with something similar to match your environment: # Run Google Apps Directory Sync for teachers $GADSCMD –a –c /opt/GoogleAppsDirSync/teachers.xml sleep 30 #Exit script and run Google Apps Directory Sync for students exit & $GADSCMD -a –o -c /opt/GoogleAppsDirSync/students.xml • Delete lines 35 & 36 near the start of the script: # Full path to GADS configuration file GADSCONF="/gadspwsync/DigitalAirlines.xml"

17. Notes about gadspwsync • Free – uses open source software • Does not rename Google accounts with username changes – limitation of GADS • In some trees [Public] can read all attributes exposing the SHA1 hash – test tree with LDAP browser and fix rights as needed • A password is stored unencrypted in the script config file – lock config only readable by root & the password of limited user

18. GADS Config Notes • LDAP Connection • Base DN – typically the Org (o=CESA7) • LDAP User Attribute • Server Type = Other • Email Address Attribute = mail • LDAP Extended Attributes • Given Name Attrib = givenName • Family Name Attrib = sn

19. Demo

20. What’s on the CD? • gadspwsync Script • gadspwsync Documentation • This PowerPoint • Universal Password Documentation • getpass Cool Tool • Google Apps Directory Sync • GADS Documentation

21. Questions?