It seems like this is exactly the information I was looking for. To use the Google Apps Directory Sync to keep the Google Apps users synchronized with the Active Directory, it will not use the binary password that Active Directory stores. The only workaround I have seen on the forum so far has been to use the SSO API but that would mean different problems with the Outlook users. Have you tried anything else that worked?
Fatima On Feb 9, 12:53 pm, prd <[email protected]> wrote: > We're trying to do the exact samesyncyou mention here. Were you ever > able to get this working? Basically it's the last thing we need to > iron out before migrating off Exchange 2003. > > Another possible route would be a password filter on the DC(s). > Succesful password change requests would call out to a custom DLL that > MD5/SHA'ed the password and uploaded to Google. Of course this would > require user's changing their passwords before asyncis done, but you > could easily remedy this by a "sign up" form that did the same on a > one-off basis. > > On Dec 19 2008, 7:10 am, ffletch <[email protected]> wrote: > > > > > Thanks for that! The new LDAP tool looks like it does a lot more than > > the old one. It even looks like it has a field for passwords. > > However there is this sentence in the help for that field: > > > An LDAP attribute that contains each user’s password. If you set this > > attribute, your users’ Google Apps password will be synchronized to > > match your users’ LDAP passwords. > > The password field must be a string, not a sequence of bytes. The > > string is the hex encoding of the hashed password. > > The defaultActiveDirectorypassword userPassword is a binary and > > cannot be used. > > > I have tried a couple of different values for the name of the password > > field and so far nothing has done it. So I'm wondering if its > > possible to get password (or even password hashes) out ofActive > >Directory'sLDAP in the first place. Anyone know if its even > > possible? And if so what's the field name in LDAP or if there is > > another way, how do you do it? > > > On Dec 17, 10:18 am, David Cifuentes <[email protected]> > > wrote: > > > > Hiffletch, > > > > I've two ideas that may help you: > > > > 1. Try the newly released tool for syncing with > > > LDAPhttp://www.google.com/support/a/bin/answer.py?answer=106368 > > > 2. You can send password hashes (SHA1 or MD5) when creating your users > > > with the provisioning API > > > inhttp://code.google.com/intl/es-CO/apis/apps/gdata_provisioning_api_v2... > > > search for "hash" > > > > Hope that helps, > > > > David Cifuentes > > > Eforcers.com > > > Bogotá, Colombia > > > > On 16 dic, 22:13,ffletch<[email protected]> wrote: > > > > > I am in the process of migrating off of an Exchange 2003 server onto > > > > Google Apps for your Domain. One of the features that would be most > > > > desirable to have is for the users to have the same userid and > > > > password that they have for the rest of the network resources (i.e. I > > > > want them to authenticate against theactivedirectory). > > > > > So far I have been able to surmise that I have two choices: the LDAP > > > >synctool (http://code.google.com/p/google-apps-for-your-domain-ldap- > > > >sync/) and / or the use of an SSO solution using SAML (http:// > > > > code.google.com/p/google-apps-sso-sample/). It appears that the LDAP > > > >synctool will do exactly what I want except that it won't synchronize > > > > passwords from theActiveDirectory(it does have the ability to > > > > upload passwords but it can't suck them out of theActiveDirecotry). > > > > I have also gotten the ASP .NET sample SSO solution working and it > > > > appears that it will do everything I need except that users who need > > > > IMAP or POP access will not be able to use it. So here are my > > > > questions: > > > > > 1) Does anyone know how to get either clear text passwords or password > > > > hashes out of theActiveDirectoryor does anyone know of any other > > > > free solution (other than the LDAPsynctool) that can get passwords > > > > out of theActiveDirectoryfor uploading to Google? > > > > > 2) Does anyone know how to make it so that a users who need IMAP or > > > > POP access can be forced to use the same user id and password that > > > > they would when logging in via SAML? > > > > > 3) Does anyone know of any other free solution(s) other than the two I > > > > mentioned above that will accomplish the same task? > > > > > Thanks in advance for any ideas.- Hide quoted text - > > - Show quoted text - --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Apps APIs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en -~----------~----~----~----~------~----~------~--~---
