Google Apps Directory Sync and AD Passwords
April 14, 2010 17 Comments
I’ve been working on our Google Apps deployment today and thought I’d share some of what I’ve learned along the way.
Google Apps Directory Sync
The Google Apps Directory Sync tool allows you to sync all of your Users, Groups, Profiles, and Contacts in your LDAP with Google Apps. The latest revision of this tool also says it will do sync passwords from Microsoft Active Directory. That’s true – kinda. Stay tuned for that…
The Google Apps Directory Sync tool is pretty self explanatory in it’s setup. It is helpful to know a little bit about LDAP and Active Directory but with a little sleuthing, I was able to figure everything out. Following are 10 screenshots of my setup in the tool. The Yellow Highlighted text at the left of each screen shot shows where I am in the configuration and if a screen is skipped, the fields there have been left blank.
Password Sync
Active Directory doesn’t actually keep the user passwords in the LDAP, therefore when trying to sync the passwords – they don’t sync. You have to get the passwords into an attribute field within Active Directory for this to work. I found this link that helped explain why the passwords would not sync. Near the end of the thread, you’ll see a tool referenced. The tool can be found here.
This tool is basically a dll file that catches the password before it is hidden away, puts it in SHA1 hash format, and then inserts it into the “division” attribute field in Active Directory. After following the installation directions and then changing my password, I saw the SHA1 hash of my password populate into the “division” LDAP attribute field. In order to get this field to populate, YOU MUST initiate a password change for the user. I plan on doing that as I migrate my users over the next few weeks.
Updates
So now, how does Google Apps stay synchronized with Active Directory? Setup a Scheduled Task on your server to launch at whatever frequency you feel is necessary. If you need to update in a more timely manor, just manually launch that scheduled task. On the Run line in the Scheduled Task I have the following:
“c:\Program Files\Google Apps Directory Sync\sync-cmd.exe -a -c c:\Documents and Settings\Administrator\My Documents\GAppsDirSync.xml”
I created an old fashioned MS-DOS batch file to launch the Google Apps Directory Sync from the command line. This batch file is then attached to a Scheduled Task. In the Batch file my commands are as follows:
cd “c:\Program Files\Google Apps Directory Sync”
Start sync-cmd.exe -a -c c:\GAppsDirSync.xml
Hopefully this helps you get started on syncing your Microsoft Active Directory with Google Apps. If you see items that need to be clarified, please let me know so that I can make this easier for everyone!
It's Goodger Here 
There are also options you can look at like CAS http://jasig.org/cas
It will provide single-sign on using your AD instead of this method. Then you don’t have to worry about password syncing ever again. Whatever is in AD is what their password is to get into Google Apps.
I have written a few articles about this on my Blog: http://blog.krishagel.com/search/label/CAS
Let me know if you have any questions about this.
Hey Kris,
Thanks for the comment. I was just looking at the CAS site this morning as I was wading my way through everything. I didn’t go too far with it though. I wasn’t sure about adding another layer of complexity to everything. I’ll be using the Directory Sync Tool both with or without SSO because I want to be able to sync my users and their information with Google Apps. I didn’t see how using CAS would do that. This eliminates me from having to do double entry; once into AD then again in Google Apps.
Since I’m already using the Sync Tool, it just made sense to use it for the passwords as well.
Question for you: How does using SSO effect mobile users?
Thanks again for the comment!
The problem is that this only works for web-based access of Google services. Do you want to use a local XMPP client for Google talk, do you want to use Thunderbird to access your email? Sorry, you can’t do that with SAML based auth.
Oh yeah, you definitely want to use the Directory Sync tool. That is a great utility. We just also use CAS to do authentication.
You bring up a good point about mobile users. It depends on the application. If you are just going to a web interface then CAS works just fine, but if you have users using something like Google Talk, then they need to know their actual Google Apps password. When don’t have anyone using that at this time so it isn’t a problem for us, but I can see how it could be for others.
please confirm me one thing- suppose i register dll file on my domain controllers- my all users will stop working with their old passwords ?
On Active Directory, your user’s passwords will not change after registering the dll file. They remain what they were before the dll was registered.
“YOU MUST initiate a password change for the user. I plan on doing that as I migrate my users over the next few weeks.”
what does that mean ??? please explain
In order for the dll file to capture the user’s passwords, you need to reset each user’s Active Directory password ON THE DOMAIN CONTROLLER WHERE THE DLL IS INSTALLED. Once the password as been reset, it has can be sync’d with Google Apps.
It is the reset of the password that initiates the capture of the password by the dll file.
Thanks- i just wanted to confirm whether it will disturb my existing users or not. it means i can go through the configuration and then i will have to reset the passwords for all the users.
Thanks it Worked !!!!!!1
I am trying to complete the test and I dont get results. How long does it take to see results? Under the validation results, it says Initializing.
Thanks,
Dan
Hey Dan – The sync test should be fairly quick. Mine completes in a minute or two & I am syncing about 80 user accounts. If it stays on initializing, then my first thought is this: Is it actually reaching your Active Directory? Check your settings and verify them. I think I even use the IP address of the server, not the server name.
Where did you install the Directory Sync Tool…on your LDAP server iteself, or another server/workstation? I have watched and studied Google’s tutorial video, but I’m not absolutely sure what I’d do in a single server environment. Thoughts?
I have it installed on my Active Directory server but it will work on a different machine as well.
First, thanks for the post. My comment has to do with security. How secure is it to dump the password hash into an LDAP attribute? I worry that because it is an LDAP attribute someone could grab the hash using an LDAP browser and run it against a rainbow table hack to decrypt the password. I’m in an educational institution and worry that an enterprising young student might put his/her talent to ill use. Thanks for your thoughts!
Hey Jordan – thanks for reading! I’m not a security expert but there are a couple of things here that I’m not too worried about. First – the password is incepted in a MD5 hash- pretty secure. Second – the students would have to know which attribute to look for in order to even find the hash. Third – they’ll need to hack your AD Admin password also.
The likelyhood of someone actually going though that much effort just to gain access to someone’s email/Google Apps account is slim but I get it, there is always someone who might try.
In my opinion, the is a small risk of that but am I staying up at night worrying a out it? No. I have larger fish to fry.
Thanks for the comment!
I went through all this pain myself and blogged about it in more detail, I’ll also link to your blog from there as you have some great screenshots of the initial setup!
In regards to the MD5 has, its actually stored as a SHA1 hash if you are using hte SHA1Hex filter. I also show you how to lock down that LDAP attribute so people can’t see it. That way they can’t access the passwords in their reduced security.
http://www.destinationip.com/index.php/site/google_apps_password_sync_with_active_directory_ad/