[midPoint] Short question "password sync"

Mon Nov 21 14:34:20 CET 2016

Hi,

MidPoint has built-in "loopback protection" in the inbound part. If an 
inbound expression would set the user property to the same value that it 
already has then the operation should not be propogated to the outbound 
part.

Maybe the problem is that you are trying to encrypt/decrypt the values 
in the script. That should not be necessary. MidPoint should do that 
transparently. However if you try to this explicitly in the script you 
may interfere with the way how values are compared and the "loopback 
protection" may not work correctly. I'm not sure that this is what 
really happens. It is just what came to my mind when I was reading this.

-- 
Radovan Semancik
Software Architect
evolveum.com

On 11/21/2016 01:23 PM, Menke, Christopher wrote:
>
> Dear Ivan,
>
> we used an OpenLDAP Server and we want to synchronize real passwords 
> encrypted over this LDAP.
>
> You can find my configuration within the appendix.
>
> In inbound I decrypt an existing AES Password with an key from 
> Keystore and in outbound I want to send the encrypted string to LDAP.
>
> Problem is the live-sync. If I change the password in LDAP, midpoint 
> overwrites it directly and there is an endless loop.
>
> Best regards,
> Christopher
>
> *Von:*midPoint [mailto:midpoint-bounces at lists.evolveum.com] *Im 
> Auftrag von *Ivan Noris
> *Gesendet:* Montag, 21. November 2016 12:01
> *An:* midpoint at lists.evolveum.com
> *Betreff:* Re: [midPoint] Short question "password sync"
>
> Hi Christopher,
>
> what is your setup? What LDAP server are you using and what's the 
> password algorithm/storage in the LDAP server? Are you synchronizing 
> real passwords from LDAP server to midPoint, or generating random 
> passwords in midPoint?
>
> Can you also paste the corresponding mappings for credentials/password 
> (probably you have outbound as well as inbound)?
>
> Thanks,
>
> Ivan
>
> On 11/21/2016 11:41 AM, Menke, Christopher wrote:
>
>     Dear all,
>
>     we want to sync an encrypted password between midpoint and a
>     second system (LDAP).
>
>     If we change the password within the LDAP (live-sync), midpoint
>     encrypts the password (Groovy Script) and overwrites the internal
>     password.
>
>     But then midpoint overwrites the password again in LDAP.
>
>     Is there a loopback-protection to prevent that tasks coming from
>     LDAP-LiveSync overwrites the password again in LDAP?
>
>     Best regards,
>
>     Christopher
>
>
>
>
>     _______________________________________________
>
>     midPoint mailing list
>
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> -- 
> Ivan Noris
> Senior Identity Engineer
> evolveum.com
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161121/cda09063/attachment.htm>