Pages

6/29/2010

Google Password Sync

Want to sync your Active Directory passwords to Google Apps? No problem.
There is a great tool in the Google Code repository. Hashing Password Filter
This code creates a SHA1 hash of the user’s password and puts it into a attribute field whenever a users password is changed.


A couple things need to happen


1) You need to create an attribute field to house the password hash for the user
2) The password filter needs to be installed on all Domain controllers, but can be installed on one to test with.
3) Complex passwords need to be enabled in the Group Policy
  • Download the filter (depending on your domain controller setup, 32 and/or 64bit versions)
  • Download the Google Data APII (http://code.google.com/p/google-gdata/downloads/list)
  • Install the Google Data API on each domain controller
  • Create the attribute “hashedPassword” (type: Case Sensitive String) with AD Scheme Editor
  • You need to create a x500 OID also. Use this tool to figure out and OID (http://gallery.technet.microsoft.com/ScriptCenter/en-us/56b78004-40d0-41cf-b95e-6e795b2e8a06 )
  • Once the attribute is created copy “HashingPasswordFilter.dll” into C:\Windows
  • Import the registry key, “HashingPasswordFilter.reg”
  • You will also need a user to update the users in AD, we already had a user we used for our scripts, but you need Allow log on locally and log on as a batch job.
  • Edit ini file with login information, copy to “C:\Documents and Settings\All Users\Application Data”, make sure it is readable only by administrators
  • Copy “GoogleHashUpdater.exe” to the process path specified in “HashingPasswordFilter.ini”
  • Edit Group Policy under password policies to make sure Complex Passwords are enabled (this is required)
  • Reboot Controller.
  • You can confirm the install worked by Checking the log file “C:\Documents and Settings\All Users\Application Data\HashingPasswordFilter.log”
  • Also, you can check System Information to make sure the module is loaded.
Once a user changes their password it will update the “hashedPassword” attribute for that user. Also the GoogleHashUpdater should go update the user too. (We aren’t using that yet, a few bugs still with that)
Currently we are syncing passwords nightly, users login via Single Sign-on (CAS by Jasig) so passwords aren’t too important at the moment, only for IMAP and Mobile Syncing.


REMEMBER!!!
Install on all Domain Controllers or it won’t work properly.

Google Forum Thread
Posted by 7 comments:
Labels:
Subscribe to: Posts (Atom)