[midPoint] Short question "password sync"
Menke, Christopher
christopher.menke at gwdg.de
Mon Nov 21 15:20:26 CET 2016
Dear Ivan and Redovan,
thanks for your reply.
I saw a few minutes ago that there is no loop. The LDAP-Value will be overwritten with the password-value from midpoint and in the second step it will be deleted. Also with exceptChannel – LiveSync in outbound.
Can you help?
The problem is that the second system has another padding for passwords so we need to decrypt and encrypt the passwords within the script because midpoint only supports AES/CBC/ISO10126Padding and not PKCS5Padding.
CONFIG:
<attribute>
<c:ref>ri:password</c:ref>
<limitations>
<ignore>false</ignore>
<access>
<read>true</read>
<add>true</add>
<modify>true</modify>
</access>
</limitations>
<tolerant>false</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<outbound>
<authoritative>false</authoritative>
<exclusive>false</exclusive>
<strength>normal</strength>
<exceptChannel>http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#liveSync</exceptChannel>
<source>
<c:path>$focus/credentials/password/value</c:path>
</source>
</outbound>
<inbound>
<authoritative>false</authoritative>
<exclusive>false</exclusive>
<strength>strong</strength>
<expression>
<script>
<code>
import java.util.Arrays;
import java.util.Base64;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
int ivLength = 128/8;
if (input != null) {
log.info(input);
byte[] cipherWithIV = Base64.getDecoder().decode(input.getBytes("UTF8"));
byte[] cipherText = Arrays.copyOfRange(cipherWithIV, ivLength, cipherWithIV.length);
byte[] iv = Arrays.copyOfRange(cipherWithIV, 0, ivLength);
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
SecretKeySpec secretKey = new SecretKeySpec("sdfsdf”.getBytes(), "AES");
IvParameterSpec ivSpec = new IvParameterSpec(iv);
cipher.init(Cipher.DECRYPT_MODE, secretKey, ivSpec);
String decryptedString = new String(cipher.doFinal(cipherText),"UTF-8");
return decryptedString;
}
</code>
</script>
</expression>
<target>
<c:path>$focus/credentials/password/value</c:path>
</target>
<condition>
<script>
<code>
basic.isEmpty(input)
</code>
</script>
</condition>
</inbound>
</attribute>
LOG:
2016-11-21 14:30:44,910 [] [Thread-219] TRACE (com.evolveum.polygon.connector.ldap.sync.ModifyTimestampSyncStrategy): method: null msg:Found entry: Entry
dn: cn=0034280,ou=user,dc=test,dc=de
…
uid: adicsn2
password: 1pvAmuWsk…
…
createTimestamp: 20161010080815Z
modifyTimestamp: 20161121133039Z
2016-11-21 14:30:46,578 [] [midPointScheduler_Worker-4] DEBUG (com.evolveum.polygon.connector.ldap.OperationLog): method: null msg:ldaps://idvault1.test.de/ Search RES Entry
dn: cn=0034280,ou=user,dc=test,dc=de
entryUUID: 70cda5c0-230c-1036-9d21-d1e8d82e4893
2016-11-21 14:30:46,580 [] [midPointScheduler_Worker-4] DEBUG (com.evolveum.polygon.connector.ldap.OperationLog): method: null msg:ldaps://idvault1.test.de/ Modify REQ cn=0034280,ou=user,dc=test,dc=de: [replace:password: 0ZHSxmFY…….,], control=null
2016-11-21 14:30:46,658 [] [midPointScheduler_Worker-4] DEBUG (com.evolveum.polygon.connector.ldap.OperationLog): method: null msg:ldaps://idvault1.test.de/ Modify RES cn=0034280,ou=user,dc=test,dc=de: Ldap Result
Result code : (SUCCESS) success
Matched Dn : ''
Diagnostic message : ''
###[ CLOCKWORK SUMMARY ]######################################
Channel: http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#liveSync
Triggered by absolute state of account(ID {.../resource/instance-3}entryUUID = [ 70cda5c0-230c-1036-9d21-d1e8d82e4893 ], type 'default', resource:9bedbf46-7577-4b62-ab05-db2e133bca85(IDVault)): LINKED -> LINKED
Focus: focus(user:412bc288-fb14-45e3-9be1-57860a894fb3(adicsn2))
Projections (1):
account(ID {.../resource/instance-3}entryUUID = [ 70cda5c0-230c-1036-9d21-d1e8d82e4893 ], type 'default', resource:9bedbf46-7577-4b62-ab05-db2e133bca85(IDVault)): KEEP
Executed:
ObjectDelta(ShadowType:21416d6e-eb14-4c21-8ea0-29c8a174ca80,MODIFY: PropertyDelta(attributes / {.../resource/instance-3}password, DELETE), PropertyDelta(metadata / {.../common/common-3}modifyChannel, REPLACE), PropertyDelta(metadata / {.../common/common-3}modifyTimestamp, REPLACE), ReferenceDelta(metadata / {.../common/common-3}modifierRef, REPLACE)): SUCCESS
##############################################################
Von: midPoint [mailto:midpoint-bounces at lists.evolveum.com] Im Auftrag von Ivan Noris
Gesendet: Montag, 21. November 2016 14:50
An: midpoint at lists.evolveum.com
Betreff: Re: [midPoint] Short question "password sync"
Hi Christopher,
another thing is that you can limit mapping to be executed only for specific channel (or all other than specific channel), so e.g. the outbound mapping would not push password to OpenLDAP when it comes from livesync.
Would be this a workaround/solution for you?
Also I remember the connector has configuration property "modifiersNamesToFilterOut" - so if you configure this with DN of the user midPoint is using for provisioning, the loop will not be endless, because after midPoint modifies the password in OpenLDAP, the change will be then ignored by livesync...
Regards,
Ivan
On 11/21/2016 01:23 PM, Menke, Christopher wrote:
Dear Ivan,
we used an OpenLDAP Server and we want to synchronize real passwords encrypted over this LDAP.
You can find my configuration within the appendix.
In inbound I decrypt an existing AES Password with an key from Keystore and in outbound I want to send the encrypted string to LDAP.
Problem is the live-sync. If I change the password in LDAP, midpoint overwrites it directly and there is an endless loop.
Best regards,
Christopher
Von: midPoint [mailto:midpoint-bounces at lists.evolveum.com] Im Auftrag von Ivan Noris
Gesendet: Montag, 21. November 2016 12:01
An: midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>
Betreff: Re: [midPoint] Short question "password sync"
Hi Christopher,
what is your setup? What LDAP server are you using and what's the password algorithm/storage in the LDAP server? Are you synchronizing real passwords from LDAP server to midPoint, or generating random passwords in midPoint?
Can you also paste the corresponding mappings for credentials/password (probably you have outbound as well as inbound)?
Thanks,
Ivan
On 11/21/2016 11:41 AM, Menke, Christopher wrote:
Dear all,
we want to sync an encrypted password between midpoint and a second system (LDAP).
If we change the password within the LDAP (live-sync), midpoint encrypts the password (Groovy Script) and overwrites the internal password.
But then midpoint overwrites the password again in LDAP.
Is there a loopback-protection to prevent that tasks coming from LDAP-LiveSync overwrites the password again in LDAP?
Best regards,
Christopher
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161121/76af7207/attachment.htm>
More information about the midPoint
mailing list