sync passwords with ldap for GADS use

I have recently started to set up sync from our SL Server to google apps, i have slowly been dealing with the issues surrounding this, however, the issue of Apples OD not storing users passwords in the OpenLdap means that i am not able to (simply) sync the passwords between SL+OD and Google.apps.

i found this (succinct) post... from David Colville1

Open Directory/LDAP Password Encryption

David Colville1

Re: Open Directory/LDAP Password Encryption

Jan 28, 2010 5:18 PM (in response to Abel408)

Unlike some other LDAP directories, OS X doesn't store a password inside the LDAP record - it uses an "SASL" mechanism - it queries to the "AuthenticationAuthority" attribute to advise the location where the user password can be retrieved.

The passwords are stored inside the PasswordServer (SASL Server), in CRAM-MD5, Digest-MD5, DHX, etc (see Page 50 of the Open Directory Administation Guide).

It also supports LDAP Bind (using cleartext passwords), but this is a nasty security risk.

Some ways you could consider to propagate from the password from other LDAP directories is either:

-Propagate the password an password attribute - but this will require changing the way clients bind to query this attribute.

- Use a script to change the entries in PasswordService using "dscl" commands on the OS X Server - this is probably a better long term solution.

And would like to know if anyone has a script or some other process sorted out that would sync the the PasswordService and OD/Ldap password field so i can update the google.apps password fields, or if there is some way of dynamically querying the PasswordServer when GADS runs to get the relevant password for each user. i am, now, starting to look at the "dscl" command to see if i can call it before i run the GADS so passwords stay synced and up to date in all places.