[Midpoint-dev] Consuming the midPoint web service from C#

Pavol Mederly pavol.mederly at gmail.com
Wed Sep 25 10:28:52 CEST 2013


Hello Paul,

on the Windows side the solution (password filter) seems to be quite 
robust - it is possible to set up e.g. the how many times the Windows 
server will try to contact SSOD daemon.
You need to install Identity Management for UNIX 
<http://technet.microsoft.com/en-us/library/cc772571.aspx> (for Windows 
Server 2008 R2, Windows Server 2012).

In the attachment I send you the sources of a Java server that is able 
to decrypt these password-change messages coming from Windows host.

Currently it only displays the password value (and checks the signature 
if the message is authentic), e.g.

[main] INFO ssod.Server - Listening on port 6677
[main] INFO ssod.Server - *Username = a0, password = a123456*
[main] INFO ssod.Server - SigReceived size = 20, data = 78, 110, 68, 12, 
124, 7, 82, 15, 81, 72, 83, -69, -107, -26, -13, 82, 78, -28, 103, 103
[main] INFO ssod.Server - SigExpected size = 20, data = 78, 110, 68, 12, 
124, 7, 82, 15, 81, 72, 83, -69, -107, -26, -13, 82, 78, -28, 103, 103
[main] INFO ssod.Server - Match = true

My code is highly experimental. I had only very limited time to devote 
to it. It was tested against Windows Server 2008 R2.
It should be enhanced e.g. to store the password to midPoint, to do 
proper error handling, etc.
Although I plan to do so, I don't know when I will have the time to do that.

Best regards,
Pavol

> Hi Pavol,
>
> Your correct we wish to synchronise passwords from AD to midPoint (and
> then on to other systems).
>
> Can't say I've come across the Password Synchronization Single Sign On
> Daemon (SSOD) before, if you have the source that would be good and
> we'll take a look and see if this is a better solution.  It certainly
> has the advantage that we wouldn't need to maintain a password filter.
>
> Regards
> Paul
>
> On 20 September 2013 08:48, Pavol Mederly <pavol.mederly at gmail.com> wrote:
>> Hello Paul,
>>
>> while having a look at the patch I've sent you ... what's the reason of
>> implementing the password filter, anyway? Is it because you need to
>> synchronize passwords from AD to midPoint?
>>
>> If it is so, there is a prototype of such password synchronizer that we have
>> prepared in cooperation with people at Comenius University in Bratislava. It
>> uses standard Microsoft-supplied component, Password Synchronization Single
>> Sign On Daemon (SSOD), which is able to push password changes from Windows
>> host to any external box (Microsoft provides a Unix-side server). I've
>> implemented the receiver side as a Java TCP server. Although it currently
>> only decrypts password change notifications and prints password to the
>> console, it should be easy to change it to push passwords to midPoint via
>> local model Java API. If you would be interested in this, I could try to
>> find the sources ;)
>>
>> Of course, we will try to solve the C# webservice issue as well. I've
>> created a jira for it: https://jira.evolveum.com/browse/MID-1603.
>>
>> Best regards,
>> Pavol
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.evolveum.com/pipermail/midpoint-dev/attachments/20130925/bb466b84/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssod.zip
Type: application/x-zip-compressed
Size: 6412 bytes
Desc: not available
URL: <http://lists.evolveum.com/pipermail/midpoint-dev/attachments/20130925/bb466b84/attachment-0001.bin>


More information about the midPoint-dev mailing list