Hi Folks,

We are trying to use G Suite's GCDS to sync users and passwords from our Freeipa server running on
a CentOS server.

The sync appears *mostly* working and when the sync is executed, it registers that a user has changed their
password and *claims* it's made the modification change.

The issue is that the password doesn't change in G Suite. I *think* it's a password hash issue at this point.

The GCDS application says that the hashing it accepts are MD5, SHA1, or Clear Text (unfortunately Google only accepts these old options). I've been trying to do ldapsearch dumps to see if I can get an idea of the password hash Freeipa users,
but I haven't had any luck.

I did see an article from this forum published in Feb of 2015 (https://www.redhat.com/archives/freeipa-users/2015-February/msg00187.html) that says Freeipa uses a salted sha256 hash.

From the following freeipa-users article (https://www.redhat.com/archives/freeipa-users/2010-March/msg00044.html) it looks like I have to add SHA1 as a hash option to the server if I want to get things working. I'd like to try this on my test server to see if that's actually the issue on why the gsync is failing to update changed passwords.

I've been looking around, but since I'm fairly new using freeipa, I'm not sure how to add a hash to the server. If you can please point me to some documentation that shows me how to add SHA1 as a password hash, I'd be grateful.

I understand the insecure nature of moving to SHA1 and I've emailed Google to see if they support anything better, but management wants the Freeipa server to sync accounts and passwords to Google, so I have to make this work.

Has anyone gotten Freeipa to sync it's passwords to G Suite?

If I get this working, I'm happy to share the config with you so some other poor soul doesn't have to stumble through the

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to