[midPoint] Short question "password sync"

Ivan Noris ivan.noris at evolveum.com
Mon Nov 21 14:50:25 CET 2016 

Hi Christopher,

another thing is that you can limit mapping to be executed only for
specific channel (or all other than specific channel), so e.g. the
outbound mapping would not push password to OpenLDAP when it comes from
livesync.

Would be this a workaround/solution for you?

Also I remember the connector has configuration property
"modifiersNamesToFilterOut" - so if you configure this with DN of the
user midPoint is using for provisioning, the loop will not be endless,
because after midPoint modifies the password in OpenLDAP, the change
will be then ignored by livesync...

Regards,

Ivan


On 11/21/2016 01:23 PM, Menke, Christopher wrote:
>
> Dear Ivan,
>
>  
>
> we used an OpenLDAP Server and we want to synchronize real passwords
> encrypted over this LDAP.
>
> You can find my configuration within the appendix.
>
> In inbound I decrypt an existing AES Password with an key from
> Keystore and in outbound I want to send the encrypted string to LDAP.
>
> Problem is the live-sync. If I change the password in LDAP, midpoint
> overwrites it directly and there is an endless loop.
>
>  
>
> Best regards,
> Christopher
>
>  
>
> *Von:*midPoint [mailto:midpoint-bounces at lists.evolveum.com] *Im
> Auftrag von *Ivan Noris
> *Gesendet:* Montag, 21. November 2016 12:01
> *An:* midpoint at lists.evolveum.com
> *Betreff:* Re: [midPoint] Short question "password sync"
>
>  
>
> Hi Christopher,
>
> what is your setup? What LDAP server are you using and what's the
> password algorithm/storage in the LDAP server? Are you synchronizing
> real passwords from LDAP server to midPoint, or generating random
> passwords in midPoint?
>
> Can you also paste the corresponding mappings for credentials/password
> (probably you have outbound as well as inbound)?
>
> Thanks,
>
> Ivan
>
>  
>
> On 11/21/2016 11:41 AM, Menke, Christopher wrote:
>
>     Dear all,
>
>      
>
>     we want to sync an encrypted password between midpoint and a
>     second system (LDAP).
>
>     If we change the password within the LDAP (live-sync), midpoint
>     encrypts the password (Groovy Script) and overwrites the internal
>     password.
>
>     But then midpoint overwrites the password again in LDAP.
>
>     Is there a loopback-protection to prevent that tasks coming from
>     LDAP-LiveSync overwrites the password again in LDAP?
>
>      
>
>     Best regards,
>
>     Christopher
>
>
>
>
>     _______________________________________________
>
>     midPoint mailing list
>
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> -- 
> Ivan Noris
> Senior Identity Engineer
> evolveum.com
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161121/07be7f68/attachment.htm>

More information about the midPoint mailing list