The "reset password" code using the Gdata libs was this simple:


        AppsForYourDomainClient client = new AppsForYourDomainClient(this.login, this.password,
            this.domain);

        UserEntry ue = client.retrieveUser(ldapId);

        if (null == ue) {

        msg = "Google account '" + ldapId + "' not found";
        log.error(msg);

        } else if (ue.getLogin().getSuspended()) {

        msg = "Google account '" + ldapId + "' is currently suspended";
        log.error(msg);

        } else {

        ue.getLogin().setPassword(newPass);
        ue.update();

        }


Though we use an AppsForYourDomainClient object caching logic as too many new connections to google apps via gdata over a short period trigger a suspicious activity scenario requiring a timeout and/or captcha input.

-W


On Wed, Nov 9, 2011 at 3:54 PM, Ficarra, Todd <[log in to unmask]> wrote:

Hi William,

 

So you’re only provisioning accounts via GADS twice a day.  That seems very reasonable. 

 

You pointed out an important weakness in our current infrastructure.  If our main ISP was down, or we had some other sort of outage, users would not be able to change passwords.  SSO would only extend the outage.  Good to know.

 

It sounds like your solution would work for us.  We’ll take a look at the GWT and Gdata tools.

 

Thanks,

 

Todd

 

 

From: The EDUCAUSE Google Apps Constituent Group Listserv [mailto:[log in to unmask]] On Behalf Of William Eubank
Sent: Wednesday, November 09, 2011 12:48 PM
To: [log in to unmask]
Subject: Re: [GOOGLEAPPS] Migrating students and alumni to GoogleApps

 

Hi Todd,

We were using unix accounts for email and Sun LDAP.  We run the GADS(Google Apps Directory Sync) tool around noon and again at 9 pm every day to provision account in Gapps.  We use the eduPersonPrimaryAffiliation value to determine account eligibility in the sync.

We, like you, could not sync ldap passwords.  So we built our own web based(J2EE war) tool using GWT(google web toolkit) and Gdata(google apps api client for java) such that a user could login to it with their ldap credentials, then click a 'reset my google account password' button to set their initial google account password(or reset it later) and immediately go and login to their google apps account.  This gave us a platform we later enhanced with 'reset my ldap using my banner credentials' and 'put my current class schedule from banner into my google calendar'.

We later enhanced the tool to have roles such that helpdesk could reset anyone's account, as well audit logging to postgresql DB.

Since then the Google Apps admin console has added delegated admin privs such that you can have helpdesk login to it and have only password reset privs, etc..

Single signon would help, sure, but we opted not to since it would introduce and local weak point in our cloud service.  i.e. our saml server here on campus was down, or our wan was down, no one could login to gapps.  Making it more bulletproof would mean having multiple saml servers, at least one off site, keeping them in sync, etc..  YMMV.

We're implementing a custom program within this same web tool to on a schedule do our "create ldap and google account from banner feed simultaneously" process.

-William

On Wed, Nov 9, 2011 at 11:14 AM, Ficarra, Todd <[log in to unmask]> wrote:

Hi All,

 

We want to move all of our students and alumni email accounts to GA.  (Faculty and staff may be migrated at a later date.)  We’re in the beginning stages of the process and as expected have many questions about the process and management over time.  If anyone would care to share their experiences, both good and bad, with us, we’d greatly appreciate it.  Below is a short list of the questions we’ve come up with so far…

 

We use Active Directory as our on-campus directory to provide authentication and authorization for on-campus resources such as network access, printing, etc.  Accounts are de-provisioned when a student, faculty or staff member leaves the college.  In order to provide email for life for alumni, we are thinking of deploying a second directory for Google Apps/email.  Has anyone done this with AD LDS?  If possible, we don’t want to deploy a second AD DS domain.

 

How do you sync AD passwords w/ GA?  According to their documentation, the passwords must be SHA1, MD5, or plain text.  AD formatted password hashes are not supported.

 

How do you handle password resets?  We’re a small institution and do not have 24/7 helpdesk support.  We have an online reset tool for our AD DS domain (uses secret questions), and we’d like to do something similar for the email directory, but according to Google, they don’t recommend running the Directory Sync tool more than once an hour.  This lag time will obviously frustrate users.

 

Would Single Sign On make all of these problems disappear?

 

Thank you in advance for all your help.

 

 

Todd

 

 

 

Todd Ficarra

Director of Information Technology Services

Pine Manor College

400 Heath St.

Chestnut Hill, MA 02467

[log in to unmask]

617 731 7110 o

617 877 7617 c

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.




--
William Eubank 
Sr Software Development Lead
VBRH, M-1F
i.t. solutions
256-824-5375
[log in to unmask]

***No trees were harmed in sending this message but a few electrons were mildly inconvenienced.***



********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.




--
William Eubank 
Sr Software Development Lead
VBRH, M-1F
i.t. solutions
256-824-5375
[log in to unmask]

***No trees were harmed in sending this message but a few electrons were mildly inconvenienced.***



********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.