On Wed, Dec 3, 2014 at 2:17 PM, Ned Twigg <[email protected]> wrote:
> I have a small company that's moving from cloud services to internal > services, so we're getting our first-ever LDAP server up to manage these > accounts. > > We're using ApacheDS, but I really wish we could use Google Apps to manage > our internal authentication requests. We're an Eclipse/OSGi/Java dev shop, > so I figure we could probably hack around a little to make a plugin for > ApacheDS to set it up as a front for our Google Apps domain. > Why not use ApacheDS to store the passwords and use SAML2 to authenticate to gmail? Doesn't work for heavy gui apps or mobile but it does for webapps. > > I've got a couple questions: > 1) Do you think this is possible? > It would be very hard with just ApacheDS. Most of the authentication in ApacheDS assumes the password is local. If you wanted to go down this route I would suggest using a virtual directory in front of your ApacheDS, using ApacheDS for data and the virtual directory (as a reverse proxy) to delegate authentication to Google but pull data from ApacheDS over LDAP. No one I know of does this OOTB but it should be a pretty easy plugin. shameless plug - MyVirtualDirectory (http://myvd.sourceforge.net), which I'm the author, could do this pretty easily. I know the folks at ForgeRock have virtual capabilities in their directory as well you could look at. > 2) If so, any recommendations on where we should start? Which extension > points we should learn about? > See my previous comment. Google does have a Java SDK that could perform the authentication and if you really want to get fancy could be used to reset the password as well. > 3) Is anybody interested in doing this project under sponsorship from us? > We're very small, but we do have some revenue, and it'd be worth $500 or so > to us for it to just be done. Googling around there are other people who > have the same request: > > https://productforums.google.com/forum/#!topic/apps/6rOyXD5g1aA > > http://superuser.com/questions/438629/using-apacheds-for-single-sign-on-for-google-apps > https://www.jfrog.com/jira/browse/RTFACT-5491 > > I don't have the cycles to code it right now, but would be happy to help out if you want to ping me out-of-band or on the MyVD list. It sounds like an interesting idea that would make a good addition to a virtual directory. No $$$$ needed. Thanks Marc
