I am currently trying to setup an account for syncing users hashed userpassword attributes to our google directory.. Basically we use gmail and sync users ldap passwords so that their login matches their ldap login.. this a one way sync, and google only requires the hashes (md5, base64, SHA1)..

From what I can gather, the cn=Directory Manager role is the only one that can access users userpassword attributes, but I was told it is possible to maybe create a service account that is able to also access this? It only needs read permissions.. I have however not been able to get this working, and I do not find the documentation on this to be vary clear..

Can anyone point me in the right direction? or help me to set this up?

As of right not I have a user account (google), enrolled in a group (google_sync), and would like to assign permissions to this group to read the userpassword attribute from a group called "mail"