Hi Folks,
We are trying to use G Suite's GCDS to sync users and passwords from our
Freeipa server running on
a CentOS server.
The sync appears *mostly* working and when the sync is executed, it
registers that a user has changed their
password and *claims* it's made the modification change.
The issue is that the password doesn't change in G Suite. I *think*
it's a password hash issue at this point.
The GCDS application says that the hashing it accepts are MD5, SHA1, or
Clear Text (unfortunately Google only accepts
these old options). I've been trying to do ldapsearch dumps to see if I
can get an idea of the password hash Freeipa users,
but I haven't had any luck.
I did see an article from this forum published in Feb of 2015
(https://www.redhat.com/archives/freeipa-users/2015-February/msg00187.html)
that says Freeipa uses a salted sha256 hash.
From the following freeipa-users article
(https://www.redhat.com/archives/freeipa-users/2010-March/msg00044.html)
it looks
like I have to add SHA1 as a hash option to the server if I want to get
things working. I'd like to try this on my test server to see if
that's actually the issue on why the gsync is failing to update changed
passwords.
I've been looking around, but since I'm fairly new using freeipa, I'm
not sure how to add a hash to the server. If you can please
point me to some documentation that shows me how to add SHA1 as a
password hash, I'd be grateful.
I understand the insecure nature of moving to SHA1 and I've emailed
Google to see if they support anything better, but
management wants the Freeipa server to sync accounts and passwords to
Google, so I have to make this work.
Has anyone gotten Freeipa to sync it's passwords to G Suite?
If I get this working, I'm happy to share the config with you so some
other poor soul doesn't have to stumble through the
configuration.
Thanks!
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
