TransWikia.com

Suggestions for using Active Directory credentials (user name/password) with Google Apps?

Server Fault Asked by Corey on February 7, 2021

I run a small college network with approximately 150 user accounts both in my Active Directory and in Google Apps. I’m looking to link AD with G-Apps. Currently my users are required to maintain separate passwords for each. Obviously this is not really the ideal situation. I know Google provides APIs for this type of thing, but not the actual software. I’ve looked at a few commercial products and seem to be leaning toward Crowd (atlassian.com). I’m also interested in the ability for users to reset there own passwords or receive randomly generated passwords via TXT message. Single Sign On would be nice, but not really necessary if I simply had a way for the passwords to be synchronized.

Optimally, when I create a user in AD, it will automatically show up in Google Apps, and when a user changes there password via Windows (or a web page if necessary) that change will be reflected in both AD and G-Apps.

I also use Moodle, Joomla and a few other products that have the ability to authenticate against LDAP.

I have Win2k3 DCs, and one Ubuntu webserver. I can add a server if necessary.

Has anyone else done this, or something similar? Are there any other products or technologies I should be looking at. I tend to gravitate towards something Windows based with a GUI due to my lack of experience with Linux/CLI. I’m not a programmer, so I need something that will work out of the box (or as close as possible).

9 Answers

We just tested SecureMFA SSP portal, looks like a free version gives enterprise-level features like MFA, multiple domains, RBAC, network filtering etc.

Answered by Alex J0nes on February 7, 2021

This is an old question that now has easier solutions.

Products like OneLogin and Okta can sync to your AD and allow your users to log into Google (via SAML) with their AD passwords. These products are increasing their provisioning capabilities, so that when you add a user to AD they are automatically given a Google Apps account (and accounts on other cloud-based services they need).

Answered by ArenS on February 7, 2021

Google just released a new password sync product called "Google Apps Password Sync (GAPS)"

http://support.google.com/a/bin/answer.py?hl=en&answer=2611859&topic=2611858&ctx=topic

Answered by Corey on February 7, 2021

My final solution was two part…

Part one, Use "Google Apps Directory Sync" to sync users from AD to Google Apps

Part two, Use "NetWrix Password Manager" with some custom development they provided to create a web based portal for my users to change there passwords with.

The portal resets their AD password as well as their Google password at the same time.

Answered by Corey on February 7, 2021

Microsoft Active Directory (MAD) supports a function called password filters. Basically these are a DLL that runs on every domain controller, when a user/admin requests a password change the filter can capture the password before MAD encrypts and stores the password in the MAD database. Lucky for you someone has already written a filter for you that works perfectly (I use it on a Windows 2003 SP1 MAD domain controller). Have a look at http://code.google.com/p/sha1hexfltr/wiki/installation

It captures the users new password whiles its plain text, creates a sha1 hash of the password and stores that in the "division" attribute in MAD. Google Apps Directory Sync (GADS) can then sync the password to Google Apps. Works for user creation and every password change post.

Good luck

Answered by on February 7, 2021

Here is a password filter that solves the synch problem. http://code.google.com/p/sha1hexfltr/

Answered by randy anderson on February 7, 2021

You can use Google Apps Directory Sync and Sun's OpenSSO. This will give your users a portal to login to using their AD credentials. There is a way to pass the credentials automatically, but I haven't gotten there yet. You can run OpenSSO on Glassfish, which will run on either windows or linux. I have an example of my setup on my site. http://edwinlandy.squarespace.com/ll/2009/7/13/active-directory-google-apps-and-sso-about-time.html

Answered by on February 7, 2021

We have been using simpleSAML to enable single sign on. The problem is that SSO only works for web-based access. If you want to all pop3, imap, or instant messaging from a client you have to synchronize accounts. Getting simpleSAML working does take a moderate amount of tweaking.

Answered by Zoredache on February 7, 2021

Check out " Google Apps Directory Sync" from Google it is included in the educational version at no charge. This will only sync the acutual accounts and groups: http://googleenterprise.blogspot.com/2009/04/sync-google-apps-user-accounts-with.html

You will need to work on something like google SSO to provided access to you LDAP server for authentication.

Google Apps Marketplace has several products available that snap into place and will provide what you are looking for. Here are some examples.

Intient GConnect - http://www.google.com/enterprise/marketplace/viewListing?productListingId=4284199+8229018775854408052

SecureAuth - http://www.google.com/enterprise/marketplace/viewListing?productListingId=3806839+12543887358898980350

Hope that helps!

Answered by JJ01 on February 7, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP