integrating google apps for education into open directory · integrating google apps and open...
TRANSCRIPT
IntegratingGoogleAppsandOpenDirectoryv10.5RandySaeks
2 INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY
TableofContents
INTRODUCTION 3
REQUIREMENTS 4
LDAPUSERIMPORT 5
WEBBASEDSINGLESIGNON 10INSTALLINGSIMPLESAMLPHP 11CONFIGURINGSIMPLESAMLPHPFOROPENDIRECTORY 13CONFIGURINGSIMPLESAMLPHPFORGOOGLEAPPSFOREDUCATION 14CONFIGURINGGOOGLEAPPSFOREDUCATIONTOUSESSO 16
ADDITIONALRESOURCES 18GOOGLEAPPSPROVISIONINGTOOLKITWORKSHEET 18
INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY 3
IntroductionGoogleApplicationsforEducationisonewayschoolsanduniversitiescanprovidean
onlinecollaborativesettingforusers.Modulesfordocuments,emailandcalendaringare
majordrawstothisenvironment.However,whenadding3rdpartysolutionstoanexisting
infrastructure,issuessurroundingseamlessuserprovisioningandconsolidatedpasswords
emergeaspotentialhurdlestodeployment,usage,andultimately,adoption.FromtheIT
standpointoneobstacleisuseraccountmanagementandmaintenance.Viewedfromthe
end‐userperspectiveindividualsarefacedwithaloginandpasswordforanothersystem.
Toresolvethesetwoissues,GoogleprovidesanAPIandvendorshavecreatedsolutionsto
leverageopentechnologies.OnetoolcreatesandmanagesuseraccountsinGoogleApps
fromOpenDirectory.Thesecondprovidesaweb‐basedSAMLSingleSignOnsolution.
Acurrentlimitationexistsforuserswhowillbeusinganemailapplication,suchas
Mail.app.SinceMail.appdoesnotuseSAMLauthentication,thepasswordforeMail
applicationswillbethepasswordcreatedoninitialaccountcreationinGoogleApps.To
workaroundthisdrawback,haveuserschangetheirGoogleAppspasswordtomatchtheir
OpenDirectorypassword.EnsurethisisdonepriortoenablingSSOoranypassword
changeswillbedirectedbacktoOpenDirectoryandnotGoogleApps.
4 INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY
RequirementsBelowaretherequirementsneededforthesetupcoveredinthisguide:
• GoogleApplicationsforEducationDomainRegistration
• MacOSXServerv.10.5runningOpenDirectory
• VMwareVirtualMachinePlaybacksupport
• SADASystemsGoogleAppsProvisioningToolkitVirtualMachine(http://hosting.sadasystems.com/sadasystems/google_provisioning)
• SimpleSAMLphp(http://rnd.feide.no/simplesamlphp)
Thisguideisbasedonthemost‐recentreleaseofMacOSXServerasofpublication,version
10.5.6.
INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY 5
LDAPUserImportTheLDAPUserimportprocessisaccomplishedviaSADASystemsVirtualMachine(VM)
availableattheprovidedURL.ThisVMallowsapreconfiguredsystemtobedownloaded
ontoacomputerandutilizedwithminimalmodifications,mainlyuser‐specific.Thistool
creates,modifies,deletes,orsuspendsaccountsanditscontinuousrunningisnotneeded.
Thatdoesmean,however,thatthetoolwillneedtobere‐runwhennewlycreatednetwork
accountsneedtobeaddedtoGoogleApps.
Atableisprovidedwithvaluesintheconfigurationfilethatwill/mayneedtobespecified
basedonyourenvironment.Additionally,ablankworksheetisincludedattheendofthis
documenttoallowyoutokeeptrackofyourvalues.
Attribute Value Details
$domain=‘DOMAIN’ YourGoogleAppsdomain
SetDOMAINtothedomainnameofyourGoogleAppsdomain.
$admin=‘USER’ Loginname SetUSERtoaloginnameforauserwithadminaccesstoyourGoogleAppsDomain.
$password=‘PASS’ Password SetPASStothepasswordforauserwithadminaccesstoyourGoogleAppsDomain.
$allow_account_deletion=‘yes,no’ yes,noSettingthisvaluetonowillsuspend
accountsnotfoundintheimport.Settingtoyeswilldeleteaccounts.
DEFINE(‘DB_TYPE’,‘TYPE’) ldap SettingTYPEtoldapwillconfigurethetoolkittoutilizeLDAPconnectivity.
DEFINE(‘LDAP_SERVER’,’IP’)AddressofanOpenDirectory
Server
SetIPtoavalidIPorDNSnameofanOpenDirectoryservertoretrieveusers.
DEFINE(‘LDAP_PORT’‘PORT’) PortofLDAPServer
SetPORTtotheportLDAPislisteningon.IfasecureLDAPconnection,setthisto636
andchangeIPintheabovefieldto‘ldaps://IP/’
DEFINE(‘LDAP_BIND_RDN’,’DN’)
FullyqualifiednameofausertobindtoyourLDAPserver
SetDNtothefullyqualifiednameofausertobindtoLDAP.Ex:
uid=someuser,cn=users,dc=your,dc=domain
6 INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY
DEFINE(‘LDAP_BIND_PASSWORD’,’LP’)Passwordforuserspecified
above
SetLPtothepasswordoftheLDAPuseryouareusingabove.
DEFINE(‘LDAP_BASE_DN’,’BASE’)Directory
locationofusersinLDAP
SetBASEtotheLDAPbaselocationofusers.Ex:
cn=users,dc=your,dc=domain
DEFINE(‘LDAP_FILTER’,‘FILTER’) Afiltertorestrictobjectsreturned
SetFILTERtoavalidLDAPfiltercriteria.Totestsetup,youmaywishtorestrict
importingtospecificusers.Youcanlimittheseviausing
(&(objectclass=person)(uidNumber=XX))withXXcorrespondingtotheuidofa
SPECIFICuser.
DEFINE(‘LDAP_USERNAME’,’NAME’)
LDAPattributecorrespondingtowhatwillbetheusersGoogleAppslogin.
SetNAMEtotheLDAPattributetheuserwillusetologinastoGoogleApps.Typically,thiswillbeuid.Ifyouuse
anothervalue,enterthatvalueintoNAME.
DEFINE(‘LDAP_DEFAULT_PASSWORD’,’P’) DefaultLDAPpassword.
SetPtothedefaultpasswordgiventoallaccounts.SincewewilllateraddinstepstoconnectusernamesandOpenDirectorypasswords,thisstepisnotimportant,butnecessary.However,toprotectaccountswhilesettingup,usesomethingsecure.
OnceyouhavedownloadedandexpandedtheVM,openitinVMware.
1. Changeintothedirectorycontainingtheconfigurationfilestobeedited.The
commandtochangeintothisdirectoryandedittheconfigurationfileisdisplayed
below.Feelfreetouseyourfavoritetexteditingapplication.
2. Enterinyoursite‐specificvaluesasoutlinedinthetableabove.
3. Restartapache.
4. ObtaintheIPaddressofthemachine.
INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY 7
5. EnableprovisioningAPIAccessinyourGoogleAppsDomain.Todoso,gotoyour
DomainAdministrationSettingsthentoUsersandGroups,andfinallytosettings.
EnablethecheckboxfortheprovisioningAPI,andclickSaveChanges.
6. ConnecttothemachineviatheIPaddressobtainedinstep4.TheURLwillbeinthe
format:
http://IPADDRESS/GoogleAppsToolKit/admin/
7. Iftheconfigurationiscorrect,youwillseeascreensimilartotheonebelow:
8. Noteintheabovescreenshottheinformationprovided.Thissummarizesthe
locationinLDAPbeingsearched(BaseDN)andtheappliedfilter.Also,the
informationtobeaddedwillbedisplayed.Intheabovecase,aspecificuserwas
selectedbasedontheiruidNumberbeingequalto1091.
8 INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY
9. Steptwooftheprocessistoselectanactiontoperformwiththeuserimport.At
thispoint,clickingnextwillpreviewandcreateyourbatchjobbutnotactuallyrun
it.Asummaryoftheactionsisprovidedbelow.Selecttheoptionbestsuitedfor
yourspecificoperation.
Action Summary
Createuseraccountsonly ThiswilladdlisteduserstoGoogleApps.Anyexistingaccountswillberetainedandleftuntouched.
Createuseraccountsandupdateexistingaccounts
ThiswilladdnewaccountstoGoogleApps.Existingaccountswillbeupdatedwithdisplayedinformation.
Updateaccountsonly Updatingtheaccountswillonlychangeorresetsettingsonexistingaccounts.Nonewaccountswillbecreated.
Synchronize‐createuseraccounts,updateexistingaccountsand
delete/suspendaccountsthatarenotpresentinthefile
Synchronizewillcreatenewaccountsbasedondisplayedinformationandupdateanyexistingaccountsanddelete
orsuspendaccountsnotlistedintheimportfile.
Delete/suspenduseraccountsonlyIf$allow_account_deletion=‘yes,no’issettoyes,thiswilldeleteaccountsfromyourGoogleAppsuserlistthatarenotlistedintheimportfile.Ifsettono,theaccountwillbesuspendedand
existinglogininformationretained.
10. Afterselectingtheactiontobeperformedandclickingnext,theProvisioningtoolkit
willscanOpenDirectoryandgenerateapreviewoftheactionstobeperformed.
Thisisthelocationwhereyoucanpreviewchangesbeforetheyareapplied.A
samplesummaryscreenisprovided.Thisscreendisplaysasummaryofaccountsto
becreated,deleted,ormodified,
aswellastheuserdata
correspondingtotheaccount.
Notethepasswordbeingusedis
setbythedirective
DEFINE(‘LDAP_DEFAULT_
PASSWORD’,’P’)fromtheprevious
configuration,withPbasedonbeingsettochangeme.
INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY 9
11. Onceyouhavecompletedyourbatchoperations,youcanpowerdowntheVMand
disableprovisioningAPIaccessinGoogleApps.
AtthispointyourGoogleAppsdomainwillhaveuseraccountsfromOpenDirectory.To
verifyanewaccountwassuccessfullycreated,logintoyourGoogleAppsdomainwiththe
newlycreateduser.Remember,atthispointthepasswordfortheuserissettothedefault
providedintheconfiguration.ThenextstepwillbetoinstallandconfigureaWeb‐based
SAMLIdentityProvider.ThiswilllinkGoogleAppsuseraccounttoyourOpenDirectory
systemandallowforOpenDirectorypasswordstobeusedonGoogleApps.
10 INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY
Web‐basedSingle‐SignOnGoogleAppsallowsforaSingle‐SignOn(SSO)systemtobeleveragedsimplifyinguser
authenticationtotheGoogleservices.Web‐basedSSOthroughSAMLallowsfora3rdparty
ServiceProvider(GoogleApps)totalktoanin‐houseIdentityProvider(inthiscase
simpleSAMLphp)whichwillprovideauthenticationservices.simpleSAMLphpinturnis
configuredtoauthenticateuserstoaspecificLDAPdirectory.Forthescopeofthispaper,
thefocusisonOpenDirectory.Below,theprocessisillustrated.
GoogleApps Webbrowser simpleSAMLphp
UserrequestsaGoogleApppage
GoogleApps,configuredforSSO,needstoauthenticate
userviaSAML.
Presentuserloginscreen.
LoginverifiedagainstSAML.Thisis
configuredtopointtoOpenDir.
SAMLrequestverified
GoogleAppsresourcepresented
UserredirectedtoSAMLapplication.
INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY 11
InstallingsimplesamlphpOnceyouhavedownloadedsimpleSAMLphp,extractittoyourdesktop.
1. Renamethefolderto“simplesaml”
2. Openaterminalwindowandchangetotherootuser.Onceyouhavedonethis,
createasimplesamlphpfolderin/var.
cd /var mkdir simplesamlphp
3. Copythecontentsofthesimplesamlphpfolderonyourdesktopto
/var/simplesamlphp.
cp -R /Users/USER/Desktop/simplesamlphp/* /var/simplesamlphp/
4. Copytheincludedsampleconfigurationandmeta‐datatemplatesintothe
productionfolder.
cd /var/simplesamlphp cp -r config-templates/*.php config/ cp –r metadata-templates/*.php metadata/
5. CreateawebAliasto/var/simplesamlphp/www.ThiscanbedoneinServer
Admin.Todoso,open
ServerAdminandselect
thewebservice,then
sites.Tocreatethealias,
clicktheplussignunder
“URLAliasesand
Redirects”andenterin
thepathabove.You
shouldconsider
allowingonlyhttps
traffictothismachine,asitwillbeworkingwithusersandpasswords.
12 INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY
6. Enabletheincludedphpmodule.Thiscanbeaccomplishedinthewebservice
settingsofServerAdmin,undermodules.Placeacheckboxinphp5_modulethen
saveyoursettingsandrestartthewebservice.
7. Edittheprovidedconfig.phpfileandspecifyanadministrativepassword.Open
/var/simplesamlphp/config/config.phpandchangeauth.adminpasswordto
somethingyouwouldliketouse.
8. Edittheconfig.phpfileandspecifyavalueforsecretsalt.Thiscanbeanyrandom
stringandwillbeusedtogeneratesecurehashes.Youcanenterinarandomstring
oflettersandnumbers.
9. Specifycontactinformationinthefieldstechnicalcontact_nameand
technicalcontact_email.
10. Disableusingsimplesamlphpasaserviceproviderandenableusingitasanidentity
provider.Tomakethesechanges,changethevalueofenable.saml20‐sptofalseand
saml20‐idptotrue.
11. Savethechangestoyourfile.
12. EnableLDAPsupportforsimpleSAMLphpbyrunningthefollowingcommands:
cd /var/simplesamlphp/modules/ldap touch enable
Atthispoint,youmaytestyourinstallbynavigatingto
http(s)://your.server.com/simplesaml.Ifthesystemisproperlysetup,youwillseea
screenforthewebapplication.Additionally,theonlyitemthatshouldhaveagreencheck
nexttoitisSAML2.0IdP.Ifyouareabletoviewyourpage,youcannowmoveonto
configuringLDAP.
ConfiguringsimpleSAMLphpforOpenDirectory
1. Opentheldap.conffilelocatedin/var/simplesamlphp/config.
2. Editthevalueofauth.ldap.dnpatterntospecifythelocationinOpenDirectoryto
searchforusers.Ifyou
don’tknowthisvalue,you
canfinditbyusingServer
Adminandviewingthe
statusofOpenDirectory.
Itwillbelocatedthe
Overviewtab.Thisvalue
shouldbeintheformat
uid=%username%,cn=use
rs,dc=your,dc=domain.TheportionunderlinediswhatisshownintheOverview
TabofOpenDirectoryastheLDAPSearchBase.
3. Changethevalueofauth.ldap.hostnametomatchthehostnameofyourOpen
DirectoryServer.
4. Intheeventyourequirebinding,changeauth.ldap.search.usernameand
auth.ldap.search.passwordtoavaliduserhavingaccessrightstoperformanLDAP
search.
5. Savethefile.
14 INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY
ConfiguringsimplesamlphpforGoogleAppsforEducationThisprocesswillconfigureGoogleAppsforEducationtousea3rdPartyIdentityProvider;
inthiscase,simplesamlphp.
1. GenerateSSLcertificatesforGoogleAppsinterminaltousewithsimplesaml.Note:
thecommandsareenteredwithaspacebetweentoreduceconfusion.Thefinal
commandiswrappedaroundlinesandthe“\”isnotneededtobeinputtothe
commandline.
cd /var/simplesamlphp/cert/ openssl genrsa –des3 –out googleappsidp.key 1024 openssl rsa -in googleappsidp.key -out googleappsidp.pem openssl req -new -key googleappsidp.key -out googleappsidp.csr openssl x509 -req -days 1095 -in googleappsidp.csr –signkey \ googleappsidp.key -out googleappsidp.crt
2. Editthehostedmetadataidentityproviderfiletopermityourservertohonor
GoogleAppauthenticationrequests.Open/var/simplesamlphp/metadata/saml20‐
idp‐hosted.phpandchange:
o __DYNAMIC:1__tothehostnameofyourmachine
o hosttothehostnameofyourmachine
o privatekeytogoogleappsidp.pem
o certificatetogoogleappsidp.crt
3. Addacommatotheendofthelinestartingwith‘auth’locatednearthebottomof
thefile(showninthenextpage).
4. Addalineafterthe‘auth’linetoread:
‘authority’ =>‘login’
INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY 15
5. Saveyourchanges.
6. Edittheremote
serverprovider
metadatafiletoallow
yourserverto
respondtoGoogle
Appauthentication
requests.Open
/var/simplesamlphp
/metadata/saml20‐sp‐remote.php.Nearthebottomofthefile,youwillseeanarray
forgoogle.com.UnderthefieldAssertionConsumerServicechangethedefaultvalue
ofg.feide.notoyourhosteddomain.
16 INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY
ConfiguringGoogleAppsforEducationtouseSSO
Nowthateverythingisconfigured,thefinalprocessistoenableGoogleAppsforEducation
toutilizeyourweb‐basedSingle‐SignOnSolution.
1. LogintoyourGoogleAppsDomain,andselectadvancedtools.Fromthere,select
“SingleSignon”
2. Placea
checkmarkinthe
box“Enable
SingleSignOn”.
3. EnterintheURL
ofyoursign‐in
page.Itshould
beintheformat:
https://host.your.domain/simplesaml/saml2/idp/SSOService.php
4. EnterintheURLofyoursign‐outpage.Itshouldbeintheformat:
https://host.your.domain/simplesaml/saml2/idp/initSLO.php?RelayState=/simplesaml/logout.php
5. EnterintheURLofyourpasswordchangeURL.Ifyoudonothaveone,youcan
enterinafakeURL.
6. Under“VerificationCertificate”,selectthegoogleappsidp.crtcertificatecreated
earlier.Itwillbelocatedin/var/simplesamlphp/cert/.Tocopythefiletoafolder
viewabletothewebbrowser,choose“Go”fromtheFindermenuandthen“To
INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY 17
Folder”.Enterintheabovepathandcopythe.crtfiletoyourdesktop.Selectthefile
andclickUpload.
7. ClickSaveChanges.
IMPORTANT:TotestyourSSOimplementation,therearetwowaystoaccomplishthis:
1. EnableGoogleAppsSingle‐SignonfromatestblockofIPsbyspecifyingarangein
thefield“NetworkMask”.
or
2. UseadifferenttestmachinetologintoyourGoogleAppsDomainandstayloggedin
withyourcurrentsession.
Ifyoudonotperformoneofthesetwoactions,youruntheriskofbeingunabletologinto
youGoogleAppsdomainandwillneedtocontactGooglesupporttoturnoffSingleSignOn.
ThiscanoccurduetotheLDAPservernotbeingreachableoranincorrectconfigurationof
LDAPattributemappings.
18 INTEGRATINGGOOGLEAPPSANDOPENDIRECTORY
AdditionalResources
GoogleAppsProvisioningToolkitWorksheet
string value YourValue
$domain=‘DOMAIN’ YourGoogleAppsdomain
$admin=‘USER’ Loginname $password=‘PASS’ Password
$allow_account_deletion=‘yes,no’ yes,no DEFINE(‘DB_TYPE’,‘TYPE’) ldap
DEFINE(‘LDAP_SERVER’,’IP’)AddressofanOpenDirectory
Server
DEFINE(‘LDAP_PORT’‘PORT’) PortofLDAPServer
DEFINE(‘LDAP_BIND_RDN’,’DN’)
FullyqualifiednameofausertobindtoyourLDAPserver.
DEFINE(‘LDAP_BIND_PASSWORD’,’LP’)Passwordforuserspecified
above
DEFINE(‘LDAP_BASE_DN’,’BASE’)Directory
locationofusersinLDAP
DEFINE(‘LDAP_FILTER’,‘FILTER’) Afiltertorestrictobjectsreturned.
DEFINE(‘LDAP_USERNAME’,’NAME’)
LDAPattributecorrespondingtowhatwillbetheusersGoogleAppslogin.
DEFINE(‘LDAP_DEFAULT_PASSWORD’,’P’) DefaultLDAPpassword.