[midPoint] Storing passwords in Midpoint

[Camilo Viecco1]

So why not use a temporary mechanism push the cleartext password between components (memory/pipe/TLS channel).  Keeping the ALL passwords in cleartext is an unnecessary risk, any plans to move away from this?

Camilo

From: midPoint <midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>> on behalf of Devin Rosenbauer <devin at identityworksllc.com<mailto:devin at identityworksllc.com>>
Reply-To: midPoint General Discussion <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Date: Friday, April 1, 2016 at 9:51 AM
To: midPoint General Discussion <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Subject: Re: [midPoint] Storing passwords in Midpoint

Typically an identity manager needs access to the user's password in cleartext so that it can be set on other systems, e.g. setting the user's initial password on a new account, etc.

On Fri, Apr 1, 2016 at 12:45 PM, Florin. Stingaciu <fstingaciu at mirantis.com<mailto:fstingaciu at mirantis.com>> wrote:
Hello,

>From my understanding passwords in Midpoint are encrypted using an 256-bit AES key and then stored in the Midpoint DB. I was wondering if there is any sort of hash applied to password before it's encrypted. If not, is there a purpose for having access to the clear text password?

Thanks,
-F

_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint




--
Devin Rosenbauer
Principal Consultant
Identity Works LLC
+1 585 210 3201
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160401/c10304d5/attachment.htm>