Google Directory Sync - Active Directory Password Sync
297 views
Skip to first unread message
regans
Sep 9, 2010, 1:56:23 AM9/9/10
to Techies for schools
Hi
I have been using Google Directory Sync on our Google Apps domains
successfully for a while now. I also have simpleSAMLphp running to
handle user authentication. This has meant the lack of password
synching between Google Apps and our Active Directory hasn't been a
big issue. I am now looking at pushing users off our Exchange server
and onto Google Apps mail. This requires users to authenticate
directly with Google who doesn't know their Active Directory password.
One solution I have found is the HashingPasswordFilter project,
http://code.google.com/p/hashing-password-filter/. It is a an open
source project that intercepts password changes on the domain
controller, allowing the clear text password to be hashed and stored
in a field in the directory for Google Directory Sync to retrieve and
pass through to Google.
The HashingPasswordFilter solutions seems to be recommended by quite a
few contributors to the Google Apps help forums. I am wondering if
anyone has had any experience using it and could comment either way on
it; or if anyone has any other solutions to keeping Google Apps
passwords synced up with users' Active Directory passwords.
Cheers
Regan
I have been using Google Directory Sync on our Google Apps domains
successfully for a while now. I also have simpleSAMLphp running to
handle user authentication. This has meant the lack of password
synching between Google Apps and our Active Directory hasn't been a
big issue. I am now looking at pushing users off our Exchange server
and onto Google Apps mail. This requires users to authenticate
directly with Google who doesn't know their Active Directory password.
One solution I have found is the HashingPasswordFilter project,
http://code.google.com/p/hashing-password-filter/. It is a an open
source project that intercepts password changes on the domain
controller, allowing the clear text password to be hashed and stored
in a field in the directory for Google Directory Sync to retrieve and
pass through to Google.
The HashingPasswordFilter solutions seems to be recommended by quite a
few contributors to the Google Apps help forums. I am wondering if
anyone has had any experience using it and could comment either way on
it; or if anyone has any other solutions to keeping Google Apps
passwords synced up with users' Active Directory passwords.
Cheers
Regan
Rohan Meuli
Sep 9, 2010, 5:34:18 AM9/9/10
to techies-f...@googlegroups.com
Regan - I've cross-posted this to the Google Apps Education group as
well.
well.
Cheers
Rohan@Watchdog
John Driver
Sep 9, 2010, 5:56:14 PM9/9/10
to Techies for schools
Hi Regan. I use this on our Server 2008 R2 (x64) DC:
http://code.google.com/p/sha1hexfltr/
I wonder if this is the same or similar thing? It uses a
sha1hexfltr.dll to hash the AD password, which I then store in an AD
attribute, and pass to Google Apps as part of Directory Sync. Sounds
the same as the hashing password filter on Google Code. it has worked
seamlessly since I started using it a year ago. The only slight
annoyance is that if I interrogate the Directory Sync logs, I see
errors synchronizing passwords. Something to do with directory sync
not knowing how to handle a success response from Google Apps. Even
though there are errors, it works perfectly though. Might be solved
with an update to Directory Sync, which I must do. Hope this helps
On Sep 9, 5:56 pm, regans <reg...@monkeywrench.co.nz> wrote:
> Hi
>
> I have been using Google Directory Sync on our Google Apps domains
> successfully for a while now. I also have simpleSAMLphp running to
> handle user authentication. This has meant the lack of password
> synching between Google Apps and our Active Directory hasn't been a
> big issue. I am now looking at pushing users off our Exchange server
> and onto Google Apps mail. This requires users to authenticate
> directly with Google who doesn't know their Active Directory password.
> One solution I have found is the HashingPasswordFilter project,http://code.google.com/p/hashing-password-filter/. It is a an open
http://code.google.com/p/sha1hexfltr/
I wonder if this is the same or similar thing? It uses a
sha1hexfltr.dll to hash the AD password, which I then store in an AD
attribute, and pass to Google Apps as part of Directory Sync. Sounds
the same as the hashing password filter on Google Code. it has worked
seamlessly since I started using it a year ago. The only slight
annoyance is that if I interrogate the Directory Sync logs, I see
errors synchronizing passwords. Something to do with directory sync
not knowing how to handle a success response from Google Apps. Even
though there are errors, it works perfectly though. Might be solved
with an update to Directory Sync, which I must do. Hope this helps
On Sep 9, 5:56 pm, regans <reg...@monkeywrench.co.nz> wrote:
> Hi
>
> I have been using Google Directory Sync on our Google Apps domains
> successfully for a while now. I also have simpleSAMLphp running to
> handle user authentication. This has meant the lack of password
> synching between Google Apps and our Active Directory hasn't been a
> big issue. I am now looking at pushing users off our Exchange server
> and onto Google Apps mail. This requires users to authenticate
> directly with Google who doesn't know their Active Directory password.
Glen
Sep 9, 2010, 6:21:15 PM9/9/10
to Techies for schools
Hi
I don't know if it works with simpleSAMLphp, but the Google Apps
Outlook Sync app supports SSO signon
http://mail.google.com/support/bin/static.py?hl=en&page=guide.cs&guide=28354&topic=28356&from=153872&rd=1
When setting up the synch app there is an option to say if you are
using a google apps password or not, and if you say no it gives the
options to use SSO instead. Have never used this option so don't know
how well it works - others may be able to comment.
Glen
I don't know if it works with simpleSAMLphp, but the Google Apps
Outlook Sync app supports SSO signon
http://mail.google.com/support/bin/static.py?hl=en&page=guide.cs&guide=28354&topic=28356&from=153872&rd=1
When setting up the synch app there is an option to say if you are
using a google apps password or not, and if you say no it gives the
options to use SSO instead. Have never used this option so don't know
how well it works - others may be able to comment.
Glen
> Hi
>
> I have been using Google Directory Sync on our Google Apps domains
> successfully for a while now. I also have simpleSAMLphp running to
> handle user authentication. This has meant the lack of password
> synching between Google Apps and our Active Directory hasn't been a
> big issue. I am now looking at pushing users off our Exchange server
> and onto Google Apps mail. This requires users to authenticate
> directly with Google who doesn't know their Active Directory password.
> One solution I have found is the HashingPasswordFilter project,http://code.google.com/p/hashing-password-filter/. It is a an open
>
> I have been using Google Directory Sync on our Google Apps domains
> successfully for a while now. I also have simpleSAMLphp running to
> handle user authentication. This has meant the lack of password
> synching between Google Apps and our Active Directory hasn't been a
> big issue. I am now looking at pushing users off our Exchange server
> and onto Google Apps mail. This requires users to authenticate
> directly with Google who doesn't know their Active Directory password.
HushPe
Sep 9, 2010, 10:56:34 PM9/9/10
to Techies for schools
We have an application that sites on all your domain controllers that
synchronises your passwords with Google Apps.
This is available through www.hapara.com who are working closely with
Russell Burt on the Tamaki Transformation Project.
Access Manager (the product) also integrates SSO against Google Apps
(hence the motivation of having it all in the Google cloud). There
are some really nice benefits like being able to login on behalf of
another user (provided you're an admin).
Wellington College use our first generation of this, which runs their
Moodle site as well as Google Apps. Mt Maunganui College use the
Access Manager version with GADS, and have a custom login screen
(gmail.mmc.school.nz).
This solution does not push additional data into your Active
Directory, so for the purists of you, you'll be happy. For the
security concious, we've catered for all the implications using tight
256bit encryption across the whole method, and communicate to Google
Apps via HTTPS as well. And it will work nicely with proxy servers
(we work in school after all).
Regards,
Arron Edwards
Totali Limited
P.S. If my email name comes up funny (i.e. not "Arron"), not too sure
why, but it's Google groups mixing with an old personal account!
On 9 Sep, 17:56, regans <reg...@monkeywrench.co.nz> wrote:
> Hi
>
> I have been using Google Directory Sync on our Google Apps domains
> successfully for a while now. I also have simpleSAMLphp running to
> handle user authentication. This has meant the lack of password
> synching between Google Apps and our Active Directory hasn't been a
> big issue. I am now looking at pushing users off our Exchange server
> and onto Google Apps mail. This requires users to authenticate
> directly with Google who doesn't know their Active Directory password.
> One solution I have found is the HashingPasswordFilter project,http://code.google.com/p/hashing-password-filter/. It is a an open
synchronises your passwords with Google Apps.
This is available through www.hapara.com who are working closely with
Russell Burt on the Tamaki Transformation Project.
Access Manager (the product) also integrates SSO against Google Apps
(hence the motivation of having it all in the Google cloud). There
are some really nice benefits like being able to login on behalf of
another user (provided you're an admin).
Wellington College use our first generation of this, which runs their
Moodle site as well as Google Apps. Mt Maunganui College use the
Access Manager version with GADS, and have a custom login screen
(gmail.mmc.school.nz).
This solution does not push additional data into your Active
Directory, so for the purists of you, you'll be happy. For the
security concious, we've catered for all the implications using tight
256bit encryption across the whole method, and communicate to Google
Apps via HTTPS as well. And it will work nicely with proxy servers
(we work in school after all).
Regards,
Arron Edwards
Totali Limited
P.S. If my email name comes up funny (i.e. not "Arron"), not too sure
why, but it's Google groups mixing with an old personal account!
On 9 Sep, 17:56, regans <reg...@monkeywrench.co.nz> wrote:
> Hi
>
> I have been using Google Directory Sync on our Google Apps domains
> successfully for a while now. I also have simpleSAMLphp running to
> handle user authentication. This has meant the lack of password
> synching between Google Apps and our Active Directory hasn't been a
> big issue. I am now looking at pushing users off our Exchange server
> and onto Google Apps mail. This requires users to authenticate
> directly with Google who doesn't know their Active Directory password.
regans
Sep 12, 2010, 7:21:22 AM9/12/10
to Techies for schools
Thanks for the replies. There are some options that I hadn't
considered and I will follow them up.
Cheers
Regan
considered and I will follow them up.
Cheers
Regan
> Hi
>
> I have been using Google Directory Sync on our Google Apps domains
> successfully for a while now. I also have simpleSAMLphp running to
> handle user authentication. This has meant the lack of password
> synching between Google Apps and our Active Directory hasn't been a
> big issue. I am now looking at pushing users off our Exchange server
> and onto Google Apps mail. This requires users to authenticate
> directly with Google who doesn't know their Active Directory password.
> One solution I have found is the HashingPasswordFilter project,http://code.google.com/p/hashing-password-filter/. It is a an open
>
> I have been using Google Directory Sync on our Google Apps domains
> successfully for a while now. I also have simpleSAMLphp running to
> handle user authentication. This has meant the lack of password
> synching between Google Apps and our Active Directory hasn't been a
> big issue. I am now looking at pushing users off our Exchange server
> and onto Google Apps mail. This requires users to authenticate
> directly with Google who doesn't know their Active Directory password.
Arron Edwards :// Totali Limited
Sep 12, 2010, 7:33:46 PM9/12/10
to Techies for schools
Hi Regan,
I downloaded a copy of the Hashing Password filter. If you're
security conscious, I probably would not recommend using it for the
following reasons:
1. You need to configure (in plain text) an Adminstrator account so
you write to AD fields
2. You need to modify your schema (most AD admin's don't like doing
this)
3. Exposing (in plain text again) your GApps Admin credentials
Food for thought.
I did forget to mention that Hapara.com's solution is instant (i.e. no
waiting for GADS to kick off).
Regards,
Arron
It's probably not for the faint of heart either, as you'll need at
least a basic understanding of LDAP to configure it.
I downloaded a copy of the Hashing Password filter. If you're
security conscious, I probably would not recommend using it for the
following reasons:
1. You need to configure (in plain text) an Adminstrator account so
you write to AD fields
2. You need to modify your schema (most AD admin's don't like doing
this)
3. Exposing (in plain text again) your GApps Admin credentials
Food for thought.
I did forget to mention that Hapara.com's solution is instant (i.e. no
waiting for GADS to kick off).
Regards,
Arron
It's probably not for the faint of heart either, as you'll need at
least a basic understanding of LDAP to configure it.
Reply all
Reply to author
Forward
0 new messages