You are here

Google Apps Directory Sync Password Hashing

Submitted by mcshell on Fri, 06/01/2012 - 11:52

We currently testing Google Apps Directory Sync to send users over to Google Apps for Gmail and other Google related products. One item i found was that since we have our password field in ldap set to use SSHA for password hashing Google can not interpret. If I change the password via a ldap browser and change the hash method to SHA Google can read it without issue. From looking at some post on some of the Google developer sites this a common issue but I wanted to know what option others may have come with. Is switching from SSHA to SHA really such a bad thing? Any incite would be appreciated.

Current version of Google Sync version being used is 3.0.6

Thanks,
Mike

General:

Luminis Version:

Mike -
Have you ever gotten any feedback on this? We're in the same boat here. In theory changing the hash method _shouldn't_ cause any problems, but theory and the real world don't always agree with each other.

I'm considering creating custom code using the Google APIs to feed off the LDI_Person events that are already getting sent to Luminis. I think this will give me the most robust and customizable solution. I'm hoping to leverage off others who have already traveled this road so I don't have to reinvent the wheel.

Scott

Scott,

We never got a response on this, but changing to SHA instead of SSHA was no issue. To feed Google Apps we used the Google Directory Sync tool and then set a cron job that runs that send over the necessary info.

Mike

We setup the options we wanted in Google Directory Sync which then saves as a xml file.
This is the line we have in our crontab that runs once per hour.

0 * * * * /GoogleAppsDirSync/sync-cmd -a -c /GoogleAppsDirSync/echslee.xml > /dev/null 2>$1

Hope that helps.
Mike