Synchronizing User Names
We use OpenDJ for authentication and we also use Google Apps for email and calendaring. We want to minimize the number of passwords that people must remember. Fortunately, Google has a utility that synchronizes our Google Apps domain with our OpenDJ LDAP server.
We've packaged it. The source code is available here.
Install the package with the following:
$ sudo apt-get install bbgads
You'll be asked a series of questions about your LDAP configuration and your Google Apps domain.
Once you've completed the installation, you must complete a few extra steps.
$ cd /opt/bbgads/current $ sudo -u root ./config-manager
This will bring up the Configuration Manager and enable you to set two passwords: your Google Apps administrator password and your LDAP server password.
File -> Open and choose
It will complain about your passwords. Just click
Ok. There will be a hierarchy of settings on the left. Choose
Configure -> Google Apps -> Settings and set the password for your administrator. Click the
Test Connection button at the bottom. Next, go to
Configure -> LDAP Settings -> LDAP Connection and set your LDAP password. There is a
Test Connection button for this as well.
Finally, go to
File -> Save and save your changes.
You should use OAuth authentication to go live. Use the config-manager application to enable it.
The default configuration for
/opt/bbgads/current/sync-script.sh does NOT push any changes to Google. Before you push changes, be sure to check
/var/log/gads/directory-sync.log to see what changes will be applied.
If you are happy with the proposed changes, edit
/opt/bbgads/current/sync-script.sh and add an
-a to the command. Precise instructions are included in the file.
You may find that you want to store users in your LDAP directory that are not needed in Google Apps. My solution has been to search for
sambaSamAccount users and only synchronize them. My local users generally need access to Samba services. That way, I can create
posixAccount users with
ldapadduser instead of
smbpasswd -a that can be authenticated but are not synchronized with the Google Apps domain.