[midPoint] How to set AD password from Midpoint?
Petr Gašparík - AMI Praha a.s.
petr.gasparik at ami.cz
Thu Jan 4 09:11:44 CET 2018
Hi, as Oleksandr says, AD disallows manipulating with userPassword
directly. Instead, credential tag is used.
Also, SSL is a must.
in general. WILL_NOT_PERFORM is almost always wrongly set password - in our
cases mostly policy violation (weak or no/bad set password)
Petr
--
s pozdravem
Petr Gašparík
solution architect
gsm: [+420] 603 523 860
e-mail: petr.gasparik at ami.cz
AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz
[image: AMI Praha a.s.]
Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
2018-01-04 8:39 GMT+01:00 Oleksandr Nekriach <o.nekriach at dynatech.lv>:
> Hello,
> It is strange I was sure that problem is in SSL.
> See
> Known Causes
> - This is caused when you don't use SSL in your LDAP connection and AD
> enforces SSL connection.
> - There are password policies in the AD environment
>
> In my Midpoint instance I don't use "direct" outbound mapping for
> userPassword.
> Instead, I use
>
> <credentials>
> <password>
> <outbound>
> <expression>
> <asIs xsi:type="c:AsIsExpressionEvaluatorType"/>
> </expression>
> </outbound>
> </password>
> </credentials>
>
> On 4 January 2018 at 02:00, Alcides Carlos de Moraes Neto
> <alcides.neto at gmail.com> wrote:
> > Hello,
> >
> > Yes, I'm using ldaps.
> >
> > 2018-01-02 5:16 GMT-02:00 Oleksandr Nekriach <o.nekriach at dynatech.lv>:
> >>
> >> Happy new year!
> >> Hi Alcides,
> >> Do you use secure communication for AD connection (ldaps) or not?
> >> Some AD settings does not allow to manage password via open
> >> communications.
> >> I had similar issue few years ago with Oracle connector ;)
> >>
> >> Regards, Oleksandr
> >>
> >>
> >> On 28 December 2017 at 21:30, Alcides Carlos de Moraes Neto
> >> <alcides.neto at gmail.com> wrote:
> >> > Hello list,
> >> >
> >> > I'm trying to create AD users from Midpoint. I'm getting the 53
> >> > WILL_NOT_PERFORM error, which it seems to be related to the password
> >> > policy.
> >> > The AD I'm using does have a password policy.
> >> >
> >> > So I'm trying to set some literal, strong password as a placeholder,
> but
> >> > I
> >> > don't think my mapping is working. How should I configure it? I cannot
> >> > find
> >> > any examples. Below are the error I get and the password outbound
> >> > mapping.
> >> >
> >> > com.evolveum.midpoint.util.exception.SystemException: Got unexpected
> >> > exception:
> >> >
> >> > org.identityconnectors.framework.common.exceptions.
> PermissionDeniedException:
> >> > Error adding LDAP entry CN=JOHN DOE,OU=Users,DC=midpoint,DC=local:
> >> > unwillingToPerform: 0000052D: SvcErr: DSID-031A12D2, problem 5003
> >> > (WILL_NOT_PERFORM), data 0?? (53)
> >> >
> >> > <attribute>
> >> > <c:ref>ri:userPassword</c:ref>
> >> > <tolerant>true</tolerant>
> >> > <exclusiveStrong>false</exclusiveStrong>
> >> > <fetchStrategy>explicit</fetchStrategy>
> >> > <outbound>
> >> > <authoritative>true</authoritative>
> >> > <exclusive>false</exclusive>
> >> > <strength>normal</strength>
> >> > <expression>
> >> > <value>Midpoint2018*</value>
> >> > </expression>
> >> > </outbound>
> >> > </attribute>
> >> >
> >> >
> >> > Thanks and happy new year to all =)
> >> >
> >> > _______________________________________________
> >> > midPoint mailing list
> >> > midPoint at lists.evolveum.com
> >> > http://lists.evolveum.com/mailman/listinfo/midpoint
> >> >
> >>
> >>
> >>
> >> --
> >> Best regards,
> >>
> >> Oleksandr Nekriach | Identity and access management engineer
> >>
> >> Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia
> >>
> >> +37125314685
> >> ,
> >> o.nekriach at dynatech.lv
> >> |
> >> www.dynatech.lv
> >>
> >>
> >>
> >>
> >> Stay connected:
> >>
> >>
> >> Confidentiality Notice: This message contains confidential information
> >> and is intended only for the named recipient(s). If you are not the
> >> addressee you may not copy, distribute or perform any other activities
> >> with this information. If you have received this transmission in
> >> error, please notify us by e-mail immediately. E-mail transmission
> >> cannot be guaranteed to be secure or error-free as information could
> >> be intercepted, corrupted, lost, destroyed, arrive late or incomplete,
> >> or contain viruses.
> >> _______________________________________________
> >> midPoint mailing list
> >> midPoint at lists.evolveum.com
> >> http://lists.evolveum.com/mailman/listinfo/midpoint
> >
> >
> >
> > _______________________________________________
> > midPoint mailing list
> > midPoint at lists.evolveum.com
> > http://lists.evolveum.com/mailman/listinfo/midpoint
> >
>
>
>
> --
> Best regards,
>
> Oleksandr Nekriach | Identity and access management engineer
>
> Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia
>
> +37125314685
> ,
> o.nekriach at dynatech.lv
> |
> www.dynatech.lv
>
>
>
>
> Stay connected:
>
>
> Confidentiality Notice: This message contains confidential information
> and is intended only for the named recipient(s). If you are not the
> addressee you may not copy, distribute or perform any other activities
> with this information. If you have received this transmission in
> error, please notify us by e-mail immediately. E-mail transmission
> cannot be guaranteed to be secure or error-free as information could
> be intercepted, corrupted, lost, destroyed, arrive late or incomplete,
> or contain viruses.
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180104/e23aace3/attachment.htm>
More information about the midPoint
mailing list