Dmitri Pal wrote:
Walter Meyer wrote:
We would be using Google Apps for our email system (and other services
included with GA like Google Docs etc.) I'd like to have one password
for users when they access their email via Google Apps, ideally the
users and passwords would be centralized in IPA.

According to the Google documentation they only support updating user
passwords with the utility or through the API's that are encoded in
MD5, SHA1, or clear text.

Another option I have considered is implementing a SSO solution like
Shibboleth (integrated with IPA) and having users login to their email
and other Google Apps services using that, as Google Apps supports
SAML. But the SAML SSO solution wouldn't work with IMAP and users
would have to maintain a separate password for this. Yet another
option would be to write a web app that would send a password change
simultaneously to Google Apps via their API's and to the IPA server,
so the passwords would be the same as long as the end-user only used
the web app to change their password.

So my goal is to have one password for Directory Services (IPA) and
Google Apps services if possible.

I wonder if it would be better to take advantage of the passync utility
provided by DS to replicate passwords and update them in the external

passsync is for syncing passwords with Active Directory.

Can Google Apps use a local DS instance as a back end?
This way the IPA can be set up to update passwords in this instance via
passync using of the shelf utilities provided by DS.

If they could use DS as a local backend then could just authenticate directly against the IPA LDAP server.


Freeipa-users mailing list

Reply via email to