0

It would be so great if I could just avoid all the API junk, and install a program on one of my servers that would actively monitor AD and G-Apps and sync stuff between them. I could just create special admin accounts in both AD and GApps for this program to use.

Optionally, it could offer a web portal for people to reset/recover there passwords.

Does anyone know of a program like this? I would prefer a Windows program with a nice installer.

Corey
  • 1,943
  • 12
  • 38
  • 53

2 Answers2

1

Is this too much to ask for?

Yes, in many ways it is. Passwords in both Google an AD are stored using a one way hash. The hashes between the two are not compatible. If you do not want to accept the risk of storing a reversible password in the AD then your only choice is to use the SSO solution. Unfortunately the SSO solution only works for the web. The SSO option does not work for imap/smtp/xmpp authentication.

None of the tools that speak SAML are simple to setup. As you said, usually it takes setting up a somewhat complicated web stack.

See my answer here for a description of what our organization did.

Community
  • 1
Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • I’m aware of the limitation regarding passwords stored in AD, however passwords are the only thing that can’t be pulled from AD. A potential work around for that is to have users use a web form when ever they want to change there password. This web form could be provided by the same program or IIS. I’ve also heard talk of the ability to capture the passwords before AD hashes them, not really sure how that would work. – Corey Oct 02 '09 at 17:05
0

Here is a password filter that solves the synch problem. http://code.google.com/p/sha1hexfltr/ You could then use the google directory sync tool