Setting up Google Apps - Syncing with AD questions

[IT_Man_Dan]

Evening all,

I'm looking ahead but am going to be introducing Google Apps into my secondary school over the next few months.
I've just started to read up on it and watch webinars etc.

I'm running AD and am planning on using the Google directory sync tool to sync between Active Directory and Google.

Question 1: Do users in Active directory have to have an attribute set under email address in order to populate google apps? I think that's what the guy was saying in the webinar was needed but my users don't have anything written in AD for the email address. Will this be a problem or will all my users create ok and then get their gmail address?

Question 2: What's the easiest way to sync the passwords between AD and Google. I'm planning on disabling the users ability to change the password in Google but want it so that when their password is changed in AD it syncs to Google. From what I understand Google Directory sync tool is unable to read the encrypted passwords from AD?

My big plan is actually to have single sign on setup so that when they login to Windows it automatically signs them into Google Apps, has anyone had any problems achieving this?

Many thanks
Dan

[CyberNerd]

1). We populate the mail attribute along with other attributes that we map to give them email aliases.
In google the username is the email address.
2) We don't sync passwords with AD. Instead we use a single sign on method (a commercial one provided by SSOEasy). There are others available, including opensource things like simplesamlphp and shibboleth. Big plus here is you can SSO with moodle etc too. The only time you will need passwords in google is if you want to use IMAP email (for iphones etc). In this case SSOEasy provide a nice method to set passwords in google.

My big plan is actually to have single sign on setup so that when they login to Windows it automatically signs them into Google Apps, has anyone had any problems achieving this?

I can't think how you can do this with passwords in Google. I may be wrong though. I would approach this by using a single sign on method that I described in 2) then using NTLM to pass through to that authentication. It is worth giving SAML 2.0 and SAML 1.1 Enterprise SSO Software - SSO Easy and email and see if they can do this. We chose not to bother with NTLM as we have lots of non-domain computers.


Also - when you first sync - be very careful to exclude your admin account from the sync otherwise you can lock out the admin account. I managed to do it :/ but google fixed it pretty quick for me.

[IT_Man_Dan]

Ok thanks.

So if I just populate all my users email attribute with %username%@mydomain.co.uk that should give them the username as we want it with Google.

That's interesting about SSOEasy, I'll have to have a read about that. I take it that means that when they open google it just auto signs them into google apps? Does it work for things like the Google talk and everything? I just want it to be as simple as possible for the end users. You said about SSOEasy providing a good way to set passwords in google, is it able to replicate the password set in AD? I'm just thinking about when the users want to log in to Google offsite.

[CyberNerd]

Ok thanks.

So if I just populate all my users email attribute with %username%@mydomain.co.uk that should give them the username as we want it with Google.

yep

That's interesting about SSOEasy, I'll have to have a read about that. I take it that means that when they open google it just auto signs them into google apps?

Ours just provides a login url that we host ourselves. I think it is worth asking them if they could do NTLM pass-through for an internal site though.

Does it work for things like the Google talk and everything? I just want it to be as simple as possible for the end users

.
It works for most google services. Last time I looked it didn't work for the picasa app (but did work for picasa web) and didn't work for imap.

You said about SSOEasy providing a good way to set passwords in google, is it able to replicate the password set in AD? I'm just thinking about when the users want to log in to Google offsite.

It doesn't replicate the AD password. We provide people the link to update their google password if they need IMAP etc services. Users login from home via a website that you host - your internet connection and server hosting the SSOEasy is a point of failure here.