1

Do you know any way to sync users from GApps to LDAP? Or, maybe, is there any tool to sync GApps users with passwd file?

I know, that Google has tool to sync users from LDAP to GApps...

Why I need this? Because I work in company with GApps Domain and we have lots of developers servers. And I want to automate some part of my job. And if there is no such tool - I'll try to write one with curl, google api and bash! :)

Psychozoic
  • 273
  • 2
  • 4
  • 13
  • Do you need just a list of users and account details or are you expecting to get the password hashes as well? – Zoredache Nov 10 '14 at 18:25
  • @Zoredache i need some script (or even app) that will auto create users in LDAP (or just passwd), block users if they become suspended and delete users if they are deleted in GApps. – Psychozoic Nov 11 '14 at 08:46
  • @Zoredache passwords is not a problem for now. – Psychozoic Nov 11 '14 at 08:48

1 Answers1

1

Given that Google's main use case is to get you to abandon on-premise directory services I think you're going to have a tough time finding any canned examples.

The Google Directory API has functionality to retrieve all users and the output should be reasonably easy to parse (since it's just JSON). You might be able to cobble something together with this API and a tool like LDAP Sync Connector. (I don't know enough about that particular tool, but there's a posting on their mailing list that claims that Google Apps can be used as a sync source.)

(Trying to search for this is pretty frustrating. I can find people looking for what you want, but inevitably a bunch of "helpful" people come along and suggest Google Apps Directory Sync, which is exactly not what you or they are looking for.)

Edit:

@Zoredache raises a very good and practical point. I see no way to get password hashes back from Google. I can't imagine a world in which they'd ever let you download those.

Bear in mind that you're going to have to deal with passwords yourself.

If that's problematic you might look at using Google to do the authentication and using OAuth2 (though I'm not readily finding a PAM module).

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • You pointed at the API, but can you get the password hash back from the API. Last time I looked I didn't think that was possible. – Zoredache Nov 10 '14 at 18:23
  • 1
    Oh, I can't imagine Google would let you get the hashes. I'd fall out of my chair if they did. No-- the OP will definitely have a password conundrum to deal with for sure. – Evan Anderson Nov 10 '14 at 18:24
  • @Zoredache password could be different. and it is possible to create users and send them mail with temporary password, which users can change. – Psychozoic Nov 11 '14 at 08:41