Google Apps uses its own user database, as of now there is no way to direct it to a backend one, so the only option is to sync with the Google Apps database.
On Fri, Mar 19, 2010 at 4:28 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Dmitri Pal wrote: > >> Walter Meyer wrote: >> >>> We would be using Google Apps for our email system (and other services >>> included with GA like Google Docs etc.) I'd like to have one password >>> for users when they access their email via Google Apps, ideally the >>> users and passwords would be centralized in IPA. >>> >>> According to the Google documentation they only support updating user >>> passwords with the utility or through the API's that are encoded in >>> MD5, SHA1, or clear text. >>> >>> Another option I have considered is implementing a SSO solution like >>> Shibboleth (integrated with IPA) and having users login to their email >>> and other Google Apps services using that, as Google Apps supports >>> SAML. But the SAML SSO solution wouldn't work with IMAP and users >>> would have to maintain a separate password for this. Yet another >>> option would be to write a web app that would send a password change >>> simultaneously to Google Apps via their API's and to the IPA server, >>> so the passwords would be the same as long as the end-user only used >>> the web app to change their password. >>> >>> >>> http://code.google.com/googleapps/domain/gdata_provisioning_api_v2.0_reference.html >>> >>> So my goal is to have one password for Directory Services (IPA) and >>> Google Apps services if possible. >>> >>> I wonder if it would be better to take advantage of the passync utility >> provided by DS to replicate passwords and update them in the external >> source. >> > > passsync is for syncing passwords with Active Directory. > > > Can Google Apps use a local DS instance as a back end? >> This way the IPA can be set up to update passwords in this instance via >> passync using of the shelf utilities provided by DS. >> > > If they could use DS as a local backend then could just authenticate > directly against the IPA LDAP server. > > rob >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users