Integrating Open Directory and Google Apps (Natively Syncing Open Directory Passwords to Google Apps)

I have been reviewing for some time the different ways which are available to push password change updates from a Apple Open Directory (OpenLDAP) Master to our Google Apps domain, and I have waited for some time for a solution I could go with. However, I was and have been unsatisfied with the solutions which are available for OS X. I wanted a very simple, secure, and natively run solution – running on my snow leopard server or lion server. Simple is a major part here, while some people don’t mind getting into configs and changing them I wanted it to be, run a installer, answer some easy questions, and bam! So below are my personal requirements for this first round of development.

 

Integrating Google Apps with Open Directory Requirements

  1. Do NOT store a plaintext password on disk.
  2. No extra services (such as MySQL), I wanted to use a simple flat file structure, similar to svn, because it is one less thing to fail.
  3. Easily configurable, easy to extend, easy to archive, easy to remove.
  4. When a user changes their LDAP password it should change their Google Apps password.
  5. If a user sets a password on a LDAP account which does not exist in Google Apps, it should be created.
  6. It should work for multiple Google Apps Domains.
  7. Install it & forget about it.

So I wrote a simple series of bash scripts, and an easy installer & uninstaller to accomplish what I wanted. While this is my first iteration of this tool it is currently in the last stages of production deployment testing, and I believe this to be ready to be used by most. I tried reasonably well to make the setup easy and very straight forward. Everything that is needed for this to work is already on OS X Server or included in the installer.

This is designed to be installed on your ODM, while the installer is NOT fool proof – I believe it to handle the most common cases and setups without problem. I will be developing this more and maturing the features, but I am currently focusing on my own needs, so I would really like to hear what would be popular to add.

It makes heavy use of openssl for storing confidential information using public key cryptography, this also allows root to actually recover a password if the situation ever arises. The tools that are installed with this are required to be run by root as well as access to the flat file structure it uses to store information in, this is intentional so that it adds a measure of security as to who can access it. Because if someone has access to your ODM as root all bets are off anyway.

It also uses Apple’s native launchd instead of cron because of the discontinuing support of cron on Apple’s platform. I believe this is the easiest most straight forward solution I have come across for syncing passwords from OpenDirectory to Google Apps on OS X.

There are some conventions to follow in order for this to work properly and they are as follows:

  1. In each of the user accounts in OD make sure their full Google App email account is entered under the user info tab, it should be the only email address entered.
  2. In each of the Google App domains make sure you create the SAME domain admin user (the part before the @) with the SAME password.

All messages are printed to the system.log file, so watch this file if you want to see any errors or it just working. You might have to issue a -HUP or restart PasswordServer or ODM for changes to take effect, but I did not have to. Formal documentation will follow after the next release.

 

Installation is simple:

  1. Download latest zip file to Open Directory Master.
  2. Unzip file.
  3. Open Terminal
  4. Change to the setup directory inside the package (this is a must!).
  5. CD to the newly unzipped folder
  6. Run: sudo ./install.sh

googlePasswordSync Release Log:

CURRENT RELEASE: org.theObfuscated.googlePasswordSync

SPECIAL NOTE: Bugs should be filed under the issues section on GitHub at https://github.com/jjviscomi/googlePasswordSync/issues. Please include all the output from the logs and whatever else is necessary to help correct or identify the issue.

- Added Google Apps Directory Sync Integration Capability. (If you choose to it will now modify the users LDAP record to include a SHA hash of the password so that GADS can push that information to Google Apps.) However if you choose this option make sure you use DACL to prevent everyone from seeing this information.

—— RELEASE HISTORY ——

- Completely re-written from the ground up.

- Every account now has its own private / public key pair

- Will now sync all registered accounts to Google Apps at specified intervals (not just when a password is changed in ldap)

- Better diagnostic information during install

- Tested & confirmed working with the following servers: 10.5, 10.6 & 10.7

- Moved development to GitHub https://github.com/jjviscomi/googlePasswordSync

 

  • Minor Release Update: 07/22/2011 (DO NOT USE – REMOVED)

 - Updated a more generic ldap topology (thanks to Petter Olsson)

 Google Password Sync: org.theObfuscated.googlePasswordSync-0.1b4.zip

 

  • Minor Release Update: 07/22/2011 (DO NOT USE – REMOVED)

 - Updated a more generic ldap search path (thanks to Petter Olsson)

 Google Password Sync: org.theObfuscated.googlePasswordSync-0.1b3.zip

 

  • Minor Release Update: 07/12/2011 (DO NOT USE – REMOVED)

 - Added log files under /var/log/googlePasswordSync/

 - Corrected installer bugs (but did not effect functionality).

 Google Password Sync: org.theObfuscated.googlePasswordSync-0.1b2.zip


  • Initial Release Date: 07/11/2011 (REMOVED)

-Google Password Sync: org.theObfuscated.googlePasswordSync-0.1b1.zip

Leave a comment ?

32 Comments.

  1. Hi,

    I read this article and your now in my RSS feed :-)

    Looking through the code is there any reason this would not work with 10.7? Figured I’ll just run it and see where it breaks.

    Good stuff! Keep up the good work.

    -Petter

    • Petter,
      I have not played with 10.7 Server at all yet. I see no reason why it should not work, but let me know what you find and I will update according. I am getting ready to release a major update next week whichs adds a lot of requested functionality, and and updating feature. Thanks for checking it out!

      -
      Joe

  2. I installed you latest one on our 10.68 Server and it works exactly as explained. Currently it only pushes the accounts password to google when you change / update the password, it would be really helpful if you synced all users passwords on some regular cycle.

  3. Joseph,

    Do you have a download link for the current release? I see the major update and wouldn’t mind taking a look at it there. This def. seems like a really nice approach based on what was cobbled together :)

    Drop me an email if you don’t mind.

    Randy

  4. Hi Joseph,

    Thanks for the scripts. It looks great.
    I installed it on our Lion Server and the installation scripts did not show any error. However, even though there are accounts with appropriate gmail address specified those accounts haven’t been created (even after password change).

    Is there any way I can specify verbose mode?

    Thanks,
    masa

  5. Thoughts on this?

    org.theObfuscated.googlePasswordSync[5527]: No such object (32)

    Then the password isn’t syncing to google.

    You get about 8 of those errors.

    • Ok here is the issue.

      Server name is ldap.internal.example.com
      So it creates the search base of dc=ldap,dc=internal,dc=example,dc=com
      The actual search base for my server is dc=internal,dc=example,dc=com

      So i fixed it with the following command.

      defaults write /Library/Preferences/org.theObfuscated.googlePasswordSync LDAP dc=internal,dc=example,dc=com

      Then it stops giving errors

  6. This is perfect. How do we donate to your work?

  7. Quick, somewhat related question…

    I’m trying to get an OS X server up and running in my company b/c earlier this year we switched form Exchange and AD to Google Apps and AD, but the Google Apps contact and calendar sharing are either non-existent or don’t work the way we need. Almost every employee uses a Mac, but b/c of the former setup we still use AD everywhere; due to HIPAA, though, we have to change passwords frequently (Google Apps doesn’t require this), and since we don’t want to have users have to change their password in multiple places we have a PHP script setup that allows users to navigate to a specific URL, put in their username, old password, and new password (twice), and, provided the new password meets the criteria, the script changes both their AD password and their Google Apps password. I’ve been trying to bring an OS X server online to offer iCal, Address Book, and iChat (maybe Wiki someday) services to users, but due to an issue w/ Lion Serve, if one bound an OD server to an AD server (so all the users and their info would be in the OD as well, and thus have access to the Apple services), passwords and logins would be sent in clear text, which we absolutely can’t have. There were a couple of fixes regarding Kerberos and/or SSL, but due to lack of knowledge in part, and it not working for us in part, they weren’t going to work for us. So, since we don’t want them having to change their passwords in more than one place, I’m wondering if there’s a way to have the PHP script mentioned above (allowing users to go to a website and change both their AD password and their Google Apps one) change the user’s OD password as well as the AD and Google Apps one, thus allowing them to only have one password to remember, only have to change it in one place each month, and still give them access to everything as before, but w/ the addition of access to the OD services. Even though I don’t really want to do it, I’m willing to go in to the OD and recreate all the users (I’d almost prefer it so I know all the info is correct and such), so all I’d need to do is tie the OD change password commands (…I guess…?) to the PHP script.

    So, is this doable? Might there be a better way? Other than getting rid of AD altogether though, b/c I’ve tried desperately already…and it’s a no-go…

    Thank you in advance,

    Erik

  8. This is a work of genius, thank you so much for your contribution.

    Our testing works perfectly if we make a password change using the workgroup manager on the ODM. However, if a user changes their password through the ‘Connect to server” dialogue (you can click the gear on the connect to server menu and change your password), the gps.sh is not triggered. Is this the expected behavior?

    Also, forcing a password change for a user will not trigger the gps.sh We can live with only changing passwords via WGM, I’m just curious if this is the way it is supposed to work.

    • No that is not the expected behavior, I have been working on a new version will all the bells and whistles that has many more features as well as Lion compatible. I expect that to be out in the next couple of weeks, I will check this on that next release.

      • Hi Joseph!

        I’m setting up a new Mac Mini with 10.7.3 Server (as an add-on via the App Store). Your strikethrus indicate that Lion Server compatibility is not guaranteed here. What’s your status on getting this working? I have no plans on executing until I’m ready your code is ready for production use.

        Please feel free to email me.

        Thanks so much for your hard work! I hope this thing works!

  9. Hi, I installed gps as described, however there are no accounts synced with Google Apps. The installer said, everything is ok and launched is starting the process every 90 seconds. But there are no other log entries other than these:

    Jan 23 17:49:56 srv01 (/private/etc/org.theObfuscated/googlePasswordSync/gps.sh) sync –sync process started.
    Jan 23 17:49:56 srv01 (/private/etc/org.theObfuscated/googlePasswordSync/gps.sh) Sync –update process finished.
    Jan 23 17:49:56 srv01 (/private/etc/org.theObfuscated/googlePasswordSync/gps.sh) Sync –sync process finished.
    Jan 23 17:51:26 srv01 (/private/etc/org.theObfuscated/googlePasswordSync/gps.sh) sync –update process started.
    Jan 23 17:51:26 srv01 (/private/etc/org.theObfuscated/googlePasswordSync/gps.sh) sync process already started, Exiting.
    Jan 23 17:51:26 srv01 (/private/etc/org.theObfuscated/googlePasswordSync/gps.sh) sync –sync process started.
    Jan 23 17:51:26 srv01 com.apple.launchd[1] (org.theObfuscated.googlePasswordSync[32095]): Exited with exit code: 1
    Jan 23 17:51:26 srv01 (/private/etc/org.theObfuscated/googlePasswordSync/gps.sh) Sync –sync process finished.

    The second process and the error message “Exited with exit code: 1″ appeared after I uninstalled and reinstalled the script. It probably left the first launched task in place and added the second one.

    When I manually trigger /usr/sbin/authserver/tools/password_update.sh I get this message logged:

    Jan 23 17:46:45 srv01 (/usr/sbin/authserver/tools/password_update.sh) password change for user: .
    Jan 23 17:46:45 srv01 (/usr/sbin/authserver/tools/password_update.sh) password sync scheduled in push.queue for user: .

    Two other questions in the install script confused me also:

    googlePasswordSync is now compatablie with GADS, do you want to enable this compatability? [y/N]:

    and

    googlePasswordSync is now compatablie with GADS, do you want to enable this compatability? [y/N]:

    Can I just leave the defaults here or do I have to enter specific info?
    Could you kindly hint me to what I might have done wrong? I’m trying this on a 10.6.8 OD Master.

    Thank you very much.

    Hakan

  10. Hey, this looks great! But do you know, what is the issue with 10.7.x, which is mentioned in the README?

    Antoin.

    • Yes, I have a fully working beta and should be finally out soon. The deal us apple changed where they stored the information to run the external command. They moved it from a plist to the directory itself, a few little commands will get the current version working, but I have many new features being rolled out with this latest update. I expect it to be pushed to github before the end of next week or the beginning of the following week at the latest.

  11. Did the install. Super easy, makes great sense.

    I did allow the GADS integration but i’m running into an issue where even if I do change the user’s password in WGM, the changes are never propagated to gAPPS. I’ve watched the googlePasswordSync process complete a few times and i’ve even run GADS to try to force it.

    What could I be missing? I had to change the gapps user pass manually to even get access to it. I didn’t use a default pass for it, could that be it?

    I’m stumped at this point. SHA is set in GADS as well but it doesn’t even report having tried to update the user record. It’s not seeing that the pass is changed.

    • Thomas,

      My question is are you using GADS to do the sync and not googlePasswordSync ? If that is the case as long as you see your hash in ldap googlePasswordSync is doing what it is supposed to do. That is on a users password change it captures the password hashes it and stores it in LDAP under the users record so GADS can push it to Google. It sounds like GADS is where your problem is.
      Let me know if the hashes are showing up under the LDAP record.

  12. Any update on the 10.7 release?

    • I have it in testing currently, ran into some issues so there was a delay. If everything goes well it will be committed and released on the 27th (Monday). However, I can truly say 10.7 moves even farther away from Enterprise quality and is only a step (intermediate release) Apple is trying to go … We are currently working on building a Debian Box with OpenLDAP to replace our OpenDirectory Solution running on our xserves …

      • Hi Joseph,
        great work, but i’m actually hosting 12 10.7 mini servers, as far as i see this is not working at all in lion ?
        Install went all right but it’s not syncing.

        you’re right, Lion seems to be a “work in progress”.

      • Joseph, I see there is a branch in github which was updated more recently than the master branch — but both haven’t been touched in some time. I’m hesitant to move away from OSX Server (going to set up 10.6 while they’re still selling it) due to the WGM client management integration. I worry I’d lose something if user account were stored on an OpenLDAP server. Perhaps I’m wrong.

        Is the master branch still what you would recommend for use with 10.6.8 server?

  13. First: Two thumbs up for your great work on this project!

    Second: Just a follow up on the release for the 10.7 problem… Are you stil working on a release or you have drop this in favor of the Debian solution?

    Thanks for your time!

  14. Hi Joseph,
    great work, but i’m actually running 10 little lions (mini server).

    I’ve tried your script, install went all right but it’s not syncing: is this release not working at all in lion or is there some trick to get it working ?

    you’re right, Lion seems to be a “work in progress”, I’m experiencing a lot of problems, but i have many and i need them to work.. in some way.. :)

  15. Do changes made to users on the Google Apps domain side sync to the Open Directory, or am I misunderstanding?

  16. Joseph,

    This looks quite promising. Any chance you have an updated version ready to commit to github? I see the RC1 branch, but the last comments here indicate there may be something more robust in the pipeline. I’d love to try and get this working on Mountain Lion this afternoon.

  17. Joseph,

    Any updates on the script? I’ve got Mountain Lion Server installed and didn’t want to start without getting the very latest code. It doesn’t look like git has been updated since your notes regarding the 10.7 issue.

    Thanks!

    Andrew Lippert

  18. Hi Guys,
    This is work on a openldap and distributed linux?

    Thanks.

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Performance Optimization WordPress Plugins by W3 EDGE