by I have been working with Google for 3 weeks trying to get GADS to sync our passwords from OpenLdap to Google Apps. GADS kept saying in all the logs that the password was sync’ed correctly, but no luck. I worked with Google Support and we tried everything (almost) including generating lots of debug logs that said yep the passwords sync’ed ok, but they were not sync’ed. I searched for answers on the web – no luck.
During this time we figured out that the sync would work if I used a different text attribute to store the password and we noticed that the SHA1 password that GADS generated was different than the SHA1 password generated by other SHA1 encryption tools for the same password. I verified how the password was stored with the OpenLdap documentation and per section 14.4 Password Storage:
“RFC4519 specifies that passwords are not stored in encrypted (or hashed) form.”
I did not click on the hyper link to read the RFC (a big mistake).
Finally the Google engineers gave up and said it must be a bug and that I needed to set up a custom password attribute and copy the userPassword over to it for GADS to work. Ugh! This would mean either a cron job to do the copies every few minutes or a major update to all our customer password management applications. Double Ugh! I decided to poke at GADS one more time and tried it with the Plaintext ldap storage again – no luck. Ok so lets try SHA1 ldap storage – no luck. Then MD5 ldap storage – no luck. Finally I tried Base64 ldap storage and, guess what – it worked!!! I then went back and read the RFC which states
” The ‘userPassword’ attribute contains octet strings”
Aha, so passwords are stored as Base64 when you configure it in slapd.conf to be {CLEARTEXT}.
Lessons Learned:
1. Read the RFC’s as their interpretation in other documents may be a bit off.
2. Google really needs to improve their documentation and FAQs so that other folks with OpenLdap do not go through my pain (and their pain as they spent a lot of support hours on this problem).
3. OpenLdap may want to change CLEARTEXT to BASE64 as that would be more accurate.
4. If something doesn’t work, continue to poke at it until there is nothing left to poke. You might just get lucky.
5. Once you get it working, dig until you figure out why