[midPoint] Synchronizing Encrypted User Password

Radovan Semancik radovan.semancik at evolveum.com
Wed Sep 14 11:37:44 CEST 2016 

Hi Patrick,

On 09/14/2016 01:59 AM, pdbogen at cernu.us wrote:
> I 100% understand the need for midpoint to be able to access plaintext user
> passwords, and I want to make this possible; but without needing to actually
> persiste the data on the Midpoint side.

This is currently not supported in midPoint implementation. It might be 
possible, but it can a long and difficult road ...

I would absolutely love to implement a proper way how to do this. But 
currently the midPoint team has other priorities. And that's quite 
unlikely to change at least in the next 6-12 months. The only way how to 
get this implemented in a near future is to do it yourself or to use 
subscription or sponsoring: 
https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature
If you could secure some funding for this feature it should be still 
possible to change our priorities.

> Therefore I'd like to sync it to LDAP. I've amended our custom schema to
> include a very restricted `encryptedPassword` field, and I'd like to sync the
> midpoint-encrypted password there.
>
> I'm having a little bit of trouble accomplishing this, however. It is not
> clear to me how I can reliably obtain a serializable value from
> $user/credentials/password/value.
>
> I was hoping to use getClearValue(), but that seems to usually be null (see
> also MID-3399). It seems non-trivial to get the serializable encrypted value,
> which is a three-member class. I suppose I could create three fields, but I'd
> rather at least serialize it as JSON or something; but the groovy environment
> doesn't seem to have JSON support, as far as I can tell.

I'm not entirely sure that I understand what are you looking for. 
$user/credentials/password/value is ProtectedString. And that is 
serializable. So if you define your encryptedPassword as 
ProtectedStringType then all you need is to copy the whole 
$user/credentials/password/value. The getClearValue() really should not 
throw NPE and that is most likely a bug. But unless you want to do some 
operations on the cleartext (e.g. appending something to the password, 
compare it with another password, etc.) then you should not need the 
clear value at all. MidPoint is designed in such a way that it will 
encrypt the value in the first realistically possible moment and then 
work all the time. And again decrypt it at the last moment when a 
cleartext is needed (usually in connector integration code).

-- 
Radovan Semancik
Software Architect
evolveum.com

More information about the midPoint mailing list