On Thu, 18 Mar 2010 19:47:35 -0400 Walter Meyer <[email protected]> wrote:
> Sorry I should have linked to the manual for it: > http://www.postini.com/webdocs/gads/admin > > The Google Apps utility actually syncs passwords from LDAP to Google > Apps, not the other way around. The manual says that the utility > supports password attributes in MD5, SHA1, or Clear Text. So I am > wondering how they are stored in the IPA DS. By default we use Salted SHA (SSHA) for the userPassword attribute. You can change it by changing the passwordStorageScheme attribute (see chapter 7 of the directory server guide), but you will probably have to perform a password change for each user that needs synchronization if you already have passwords set, because the hash can be changed only when the clear text password is available. I have to say though that MD5/SHA1 are considered weak today, esp MD5. Also you should make sure you understand the implication of exposing your internal passwords over the network. By using the same hash for google apps it means you users will send their IPA password to google for authentication (hopefully over HTTPS) so if someone can phish or mitm them they will have the right password for both google apps *and* your company resources. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
