beautypg.com

Passwords – Google Apps Directory Sync Administration Guide User Manual

Page 32

background image

32

Release 4.0.2

Autocomplete addresses.

Important:

Shared Contacts do not show up immediately. After you synchronize Shared Contacts, it

may take up to 24 hours for the changes to appear in Google Apps.

Do you want to synchronize Calendar Resources? If you want to import calendar resources (such
as conference rooms) from your LDAP into Google Apps, configure Calendar Resources
synchronization. Calendar Resources are visible to every user when attempting to schedule calendar
events. For more information, see “LDAP Calendar Resources” on page 119.

If you do want to synchronize calendar resources, choose a naming format for your calendar
resources. Note that names containing spaces or special characters (like @) will not be synchronized.
The rules for calendar resources names are different than other synchronized information. For more
information on this calendar resource naming, see the Google Code site article Developing a naming
strategy for your calendar resources
.

Passwords

Directory Sync can import passwords from LDAP, but only in an LDAP attribute that stores passwords in
plain text, Base64, unsalted MD5, or unsalted SHA-1 format. Other password encryption hashes are not
currently supported, nor are salted hashes. Most directory servers do not support these formats natively,
and storing your user passwords in these formats on your mail server may have serious security
implications.

For password synchronization, GADS provides the following options:

Implement Single Sign-On for your domain. Set up a SAML server for your account to manage
Single Sign-On. Users will use the same passwords and authorization for both Google Apps and your
LDAP directory server. GADS will create random passwords during synchronization in this case.

Note that Single Sign-On supports only web authentication. Other forms of authentication (such as
IMAP, POP, and ActiveSync) do not support Single Sign-On and will still require a Google password.

Use this option if you are planning to set up Single Sign-On for your domain. For more information on
Single Sign-On, see the SSO site on Google Code.

Use a plain text LDAP attribute for default password for new users. With this option, Google Apps
passwords are separate from passwords on your LDAP directory server. You can use this method to
create a temporary password from any LDAP attribute that holds data in plain text format.

The most secure way to create a default password is to populate a custom attribute with a randomly
generated password. Alternately, you can use a private and unique field, such as employee ID number.
Avoid using a field that could be easily guessed, such as email address or last name, since this could
make it easier for other users to sign up using temporary credentials.

Use this option if you want users to have separate one-time passwords, and you have or can create an
appropriate LDAP field to use for temporary passwords.

Use a third-party utility to convert unsupported passwords to a supported format. Check the
Google Marketplace for third-party tools to help with synchronizing passwords. Use this option if you
need to have Google Apps use the same passwords as your LDAP directory server, but you are
unable to set up a SAML server. This may require you to set new passwords on your LDAP directory.

Specify a default password for new users. Every new user will have the same password until that
user logs in and changes the password. With this option, Google Apps passwords are separate from
passwords on your LDAP directory server. Set a default password for new users, and then set
Directory Sync to synchronize passwords for new users and force new users to change their