Thanks for the clarification Sam... much appreciated... On Nov 8, 2007 12:11 AM, Sam Johnston <[EMAIL PROTECTED]> wrote:
> > On 11/7/07, Ryan Shelley <[EMAIL PROTECTED]> wrote: > > With a separate email client like Outlook or Thunderbird? Well, much of > > what I describe still holds. You need to provision each account with > their > > AD passwords (assuming the are SHA-1 encoded), and then the user needs > to > > log in and enable POP3 on their account. Once that's setup, they can > use a > > 3rd party client to receive their mail. The only catch is that if the > user > > changes their password on your AD domain, you might want to consider > syncing > > that change with Gmail so their mailbox password matches their domain > login. > > Unfortunately 'the NTLM, NTLMv2, and Kerberos all use the NT hash, > also known as the Unicode hash' (Q299656). The best way to achieve > what you suggest would likely be to register for password change > notifications and capture the password in cleartext before it is > encoded and stored to AD. This is how Microsoft themselves do it for > their Identity Integration Server: > > Password Change Notification Service captures passwords on the domain > controller so Identity Integration Server can synchronize. > > http://www.microsoft.com/downloads/details.aspx?familyid=c0964f2e-fa9f-4fc7-ac13-c43928efee9d&displaylang=en > > An interesting enhancement for apps would be for it to understand NTLM > hashes, at least for migration purposes (they could be stored > temporarily and upgraded when the user provides the cleartext password > the first time they log on). I've already done something similar for > OpenLDAP half a dozen years ago so I know it's feasible; I'll submit > the suggestion to product management. > > http://www.openldap.org/lists/openldap-devel/200203/msg00025.html > > Presumably those of you using Apps in NT based environments would find > the ability to migrate existing passwords useful? > > Sam > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Apps APIs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en -~----------~----~----~----~------~----~------~--~---
