Hello FreeIPA users..
I am currently trying to setup an account for syncing users hashed
userpassword attributes to our google directory.. Basically we use gmail
and sync users ldap passwords so that their login matches their ldap
login.. this a one way sync, and google only requires the hashes (md5,
base64, SHA1)..
From what I can gather, the cn=Directory Manager role is the only one that
can access users userpassword attributes, but I was told it is possible to
maybe create a service account that is able to also access this? It only
needs read permissions.. I have however not been able to get this working,
and I do not find the documentation on this to be vary clear..
Can anyone point me in the right direction? or help me to set this up?
As of right not I have a user account (google), enrolled in a group
(google_sync), and would like to assign permissions to this group to read
the userpassword attribute from a group called "mail"
uid=google,cn=users,cn=accounts,dc=xx,dc=xx
cn=google_sync,cn=groups,cn=accounts,dc=xx,dc=xx
cn=mail,cn=groups,dc=accounts,dc=xx,dc=xx
As an additonal question, are userpasswords hashed in base64 or? I cant
seem to find an answer to this..
Mvh.
René Johansen
Systemadministrator
Christians Brygge 1
1219 København K
Tlf: 31625208