The "reset password" code using the Gdata libs was this simple:


        AppsForYourDomainClient client = new
AppsForYourDomainClient(this.login, this.password,
            this.domain);

        UserEntry ue = client.retrieveUser(ldapId);

        if (null == ue) {

        msg = "Google account '" + ldapId + "' not found";
        log.error(msg);

        } else if (ue.getLogin().getSuspended()) {

        msg = "Google account '" + ldapId + "' is currently suspended";
        log.error(msg);

        } else {

        ue.getLogin().setPassword(newPass);
        ue.update();

        }


Though we use an AppsForYourDomainClient object caching logic as too many
new connections to google apps via gdata over a short period trigger a
suspicious activity scenario requiring a timeout and/or captcha input.

-W


On Wed, Nov 9, 2011 at 3:54 PM, Ficarra, Todd <[log in to unmask]> wrote:

> Hi William,****
>
> ** **
>
> So you’re only provisioning accounts via GADS twice a day.  That seems
> very reasonable.  ****
>
> ** **
>
> You pointed out an important weakness in our current infrastructure.  If
> our main ISP was down, or we had some other sort of outage, users would not
> be able to change passwords.  SSO would only extend the outage.  Good to
> know.****
>
> ** **
>
> It sounds like your solution would work for us.  We’ll take a look at the
> GWT and Gdata tools.****
>
> ** **
>
> Thanks,****
>
> ** **
>
> Todd****
>
> ** **
>
> ** **
>
> *From:* The EDUCAUSE Google Apps Constituent Group Listserv [mailto:
> [log in to unmask]] *On Behalf Of *William Eubank
> *Sent:* Wednesday, November 09, 2011 12:48 PM
> *To:* [log in to unmask]
> *Subject:* Re: [GOOGLEAPPS] Migrating students and alumni to GoogleApps***
> *
>
> ** **
>
> Hi Todd,
>
> We were using unix accounts for email and Sun LDAP.  We run the
> GADS(Google Apps Directory Sync) tool around noon and again at 9 pm every
> day to provision account in Gapps.  We use the eduPersonPrimaryAffiliation
> value to determine account eligibility in the sync.
>
> We, like you, could not sync ldap passwords.  So we built our own web
> based(J2EE war) tool using GWT(google web toolkit) and Gdata(google apps
> api client for java) such that a user could login to it with their ldap
> credentials, then click a 'reset my google account password' button to set
> their initial google account password(or reset it later) and immediately go
> and login to their google apps account.  This gave us a platform we later
> enhanced with 'reset my ldap using my banner credentials' and 'put my
> current class schedule from banner into my google calendar'.
>
> We later enhanced the tool to have roles such that helpdesk could reset
> anyone's account, as well audit logging to postgresql DB.
>
> Since then the Google Apps admin console has added delegated admin privs
> such that you can have helpdesk login to it and have only password reset
> privs, etc..
>
> Single signon would help, sure, but we opted not to since it would
> introduce and local weak point in our cloud service.  i.e. our saml server
> here on campus was down, or our wan was down, no one could login to gapps.
> Making it more bulletproof would mean having multiple saml servers, at
> least one off site, keeping them in sync, etc..  YMMV.
>
> We're implementing a custom program within this same web tool to on a
> schedule do our "create ldap and google account from banner feed
> simultaneously" process.
>
> -William
>
> ****
>
> On Wed, Nov 9, 2011 at 11:14 AM, Ficarra, Todd <[log in to unmask]> wrote:**
> **
>
> Hi All,****
>
>  ****
>
> We want to move all of our students and alumni email accounts to GA.
> (Faculty and staff may be migrated at a later date.)  We’re in the
> beginning stages of the process and as expected have many questions about
> the process and management over time.  If anyone would care to share their
> experiences, both good and bad, with us, we’d greatly appreciate it.  Below
> is a short list of the questions we’ve come up with so far…****
>
>  ****
>
> We use Active Directory as our on-campus directory to provide
> authentication and authorization for on-campus resources such as network
> access, printing, etc.  Accounts are de-provisioned when a student, faculty
> or staff member leaves the college.  In order to provide email for life for
> alumni, we are thinking of deploying a second directory for Google
> Apps/email.  Has anyone done this with AD LDS?  If possible, we don’t want
> to deploy a second AD DS domain.****
>
>  ****
>
> How do you sync AD passwords w/ GA?  According to their documentation, the
> passwords must be SHA1, MD5, or plain text.  AD formatted password hashes
> are not supported.****
>
>  ****
>
> How do you handle password resets?  We’re a small institution and do not
> have 24/7 helpdesk support.  We have an online reset tool for our AD DS
> domain (uses secret questions), and we’d like to do something similar for
> the email directory, but according to Google, they don’t recommend running
> the Directory Sync tool more than once an hour.  This lag time will
> obviously frustrate users.****
>
>  ****
>
> Would Single Sign On make all of these problems disappear?****
>
>  ****
>
> Thank you in advance for all your help.****
>
>  ****
>
>  ****
>
> Todd****
>
>  ****
>
>  ****
>
>  ****
>
> Todd Ficarra****
>
> Director of Information Technology Services****
>
> Pine Manor College****
>
> 400 Heath St.****
>
> Chestnut Hill, MA 02467****
>
> [log in to unmask]****
>
> 617 731 7110 o****
>
> 617 877 7617 c****
>
>  ****
>
> ********** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/. ****
>
>
>
>
> --
> William Eubank
> Sr Software Development Lead
> VBRH, M-1F
> i.t. solutions
> 256-824-5375
> [log in to unmask]
>
> ****No trees were harmed in sending this message but a few electrons were
> mildly inconvenienced.****
>
>
>
> ********** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/. ****
>



-- 
William Eubank
Sr Software Development Lead
VBRH, M-1F
i.t. solutions
256-824-5375
[log in to unmask]

****No trees were harmed in sending this message but a few electrons were
mildly inconvenienced.****

**********
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.