Google Apps uses its own user database, as of now there is no way to direct it to a backend one, so the only option is to sync with the Google Apps database. <div class="gmail_quote">On Fri, Mar 19, 2010 at 4:28 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div class="im">Dmitri Pal wrote: <blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> Walter Meyer wrote: <blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> We would be using Google Apps for our email system (and other services included with GA like Google Docs etc.) I'd like to have one password for users when they access their email via Google Apps, ideally the users and passwords would be centralized in IPA. According to the Google documentation they only support updating user passwords with the utility or through the API's that are encoded in MD5, SHA1, or clear text. Another option I have considered is implementing a SSO solution like Shibboleth (integrated with IPA) and having users login to their email and other Google Apps services using that, as Google Apps supports SAML. But the SAML SSO solution wouldn't work with IMAP and users would have to maintain a separate password for this. Yet another option would be to write a web app that would send a password change simultaneously to Google Apps via their API's and to the IPA server, so the passwords would be the same as long as the end-user only used the web app to change their password. <a href="http://code.google.com/googleapps/domain/gdata_provisioning_api_v2.0_reference.html" target="_blank">http://code.google.com/googleapps/domain/gdata_provisioning_api_v2.0_reference.html</a> So my goal is to have one password for Directory Services (IPA) and Google Apps services if possible. </blockquote> I wonder if it would be better to take advantage of the passync utility provided by DS to replicate passwords and update them in the external source. </blockquote> </div> passsync is for syncing passwords with Active Directory.<div class="im"> <blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> Can Google Apps use a local DS instance as a back end? This way the IPA can be set up to update passwords in this instance via passync using of the shelf utilities provided by DS. </blockquote> </div> If they could use DS as a local backend then could just authenticate directly against the IPA LDAP server. rob </blockquote></div>