I will see if Salted SHA1 is supported and maybe Google hasn't documented it
yet. If not, the sync is done with the Google Servers over SSL. And if only
the Directory Manager can read the userPassword attribute, would storing the
userPassword attribute in SHA1 be that insecure? What scenario could the
passwords be compromised if I went with this setup? Unless the Directory
Manager account was compromised wouldn't this be secure if all of the data
was being transmitted over SSL?

Also all logins to Google Apps are encrypted with SSL.


On Fri, Mar 19, 2010 at 2:06 PM, Simo Sorce <sso...@redhat.com> wrote:

> On Thu, 18 Mar 2010 19:47:35 -0400
> Walter Meyer <wgme...@gmail.com> wrote:
> > Sorry I should have linked to the manual for it:
> > http://www.postini.com/webdocs/gads/admin
> >
> > The Google Apps utility actually syncs passwords from LDAP to Google
> > Apps, not the other way around. The manual says that the utility
> > supports password attributes in MD5, SHA1, or Clear Text. So I am
> > wondering how they are stored in the IPA DS.
> By default we use Salted SHA (SSHA) for the userPassword attribute.
> You can change it by changing the passwordStorageScheme attribute (see
> chapter 7 of the directory server guide), but you will probably have to
> perform a password change for each user that needs synchronization if
> you already have passwords set, because the hash can be changed only
> when the clear text password is available.
> I have to say though that MD5/SHA1 are considered weak today, esp MD5.
> Also you should make sure you understand the implication of exposing
> your internal passwords over the network.
> By using the same hash for google apps it means you users will send
> their IPA password to google for authentication (hopefully over HTTPS)
> so if someone can phish or mitm them they will have the right password
> for both google apps *and* your company resources.
> Simo.
> --
> Simo Sorce * Red Hat, Inc * New York
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
Freeipa-users mailing list

Reply via email to