[Freeipa-users] Password Attribute Syncing Support

[Rob Crittenden]

Dmitri Pal wrote:
> Walter Meyer wrote:
>> We would be using Google Apps for our email system (and other services
>> included with GA like Google Docs etc.) I'd like to have one password
>> for users when they access their email via Google Apps, ideally the
>> users and passwords would be centralized in IPA.
>>
>> According to the Google documentation they only support updating user
>> passwords with the utility or through the API's that are encoded in
>> MD5, SHA1, or clear text.
>>
>> Another option I have considered is implementing a SSO solution like
>> Shibboleth (integrated with IPA) and having users login to their email
>> and other Google Apps services using that, as Google Apps supports
>> SAML. But the SAML SSO solution wouldn't work with IMAP and users
>> would have to maintain a separate password for this. Yet another
>> option would be to write a web app that would send a password change
>> simultaneously to Google Apps via their API's and to the IPA server,
>> so the passwords would be the same as long as the end-user only used
>> the web app to change their password.
>>
>> http://code.google.com/googleapps/domain/gdata_provisioning_api_v2.0_reference.html
>>
>> So my goal is to have one password for Directory Services (IPA) and
>> Google Apps services if possible.
>>
> I wonder if it would be better to take advantage of the passync utility
> provided by DS to replicate passwords and update them in the external
> source.

passsync is for syncing passwords with Active Directory.

> Can Google Apps use a local DS instance as a back end?
> This way the IPA can be set up to update passwords in this instance via
> passync using of the shelf utilities provided by DS.

If they could use DS as a local backend then could just authenticate 
directly against the IPA LDAP server.

rob