[midPoint] Synchronize passwords AD --> MidPoint

Pavol Mederly mederly at evolveum.com
Fri Jul 4 19:46:30 CEST 2014 

On 4. 7. 2014 14:23, Roman Pudil - AMI Praha a.s. wrote:
> Hi all,
> how to synchronize passwords between Active Directory and MidPoint 
> (both directions)?
> Name of resource attribute where actual AD password is stored?

Hello Roman,

the midPoint -> AD direction is easy. You simply have to set up

                 <credentials>
                     <password>
                         <outbound/>
                     </password>
                 </credentials>

in the "account" section of the schema handling.

As for AD -> midPoint, it is not possible to get actual passwords from 
Active Directory. It is not a limitation of midPoint - it is a security 
feature of AD.

IDM solutions dealing with Active Directory traditionally use a feature 
called password filter. It's a code sitting at AD domain controller, 
listening for "password change" events and propagating those events to 
the particular IDM.

Guys from Salford Software created such a component for midPoint some 
time ago and posted it here. It is available at 
https://github.com/Evolveum/midpoint-password-agent-ad. It has two 
parts: one collects password changes and stores them in a file, and the 
other one sends the changes to midPoint via its SOAP interface. However, 
I haven't tried this solution yet; e.g. I'm not sure whether it is 
compatible with midPoint SOAP interface changes introduced in 3.0. But 
you could easily try that.

Best regards,
Pavol

>
> Thanks!
> Regards
> Roman Pudil
>
>
> Roman Pudil
> solution architect
>
> gsm: [+420] 775 663 666
> e-mail: roman.pudil at ami.cz <mailto:roman.pudil at ami.cz>
>
> 			
>
> AMI Praha a.s.
> Plánic(kova 11
> 162 00 Praha 6
> tel./fax: [+420] 274 783 239
> web: www.ami.cz <http://www.ami.cz>
>
> 			
>
> AMI Praha a.s.
>
>
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
> Textem tohoto e-mailu podepisující neslibuje uzavr(ít ani neuzavírá za 
> spolec(nost AMI Praha a.s.
> jakoukoliv smlouvu. Kaz(dá smlouva, pokud bude uzavr(ena, musí mít 
> výhradne( písemnou formu.
>
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20140704/c6d50354/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2895 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20140704/c6d50354/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 21628 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20140704/c6d50354/attachment.png>

More information about the midPoint mailing list