[midPoint] Storing passwords in Midpoint

Stephen Barker sbarker at illinois.edu
Fri Apr 1 20:05:17 CEST 2016


Hi all,

You can change this behaviour for whatever your business needs in midPoint.

We added a hook and a task that hashes the password (in the final state) 
after the passwords are successfully pushed to resources, but does allow 
for them to be kept encrypted for 30 days from the create date of the 
identity to support on-boarding new people (we have a long delay some of 
the time with new people getting into all of our systems). We keep the 
hashed password around because we also have a password history 
requirement, if you did not need such a requirement you could even 
delete the password if you no longer had a business case for it, just 
make sure your mappings will not push a blank password to your resource.

I appreciate the flexibility (and also relative ease) midPoint offers in 
this area and allows for the customization of how password and other 
data needs to be handled, especially in our environment where business 
rules can be very different for groups of users.

Thanks,
Stephen Barker
Senior Software Engineer - AITS
University of Illinois
sbarker at uillinois.edu
265-0942
--
"we tend to be masters of our own fate, the only thing that stops us 
from doing really cool things is time." -- Monty Oum

On 04/01/2016 12:53 PM, Camilo Viecco1 wrote:
> So why not use a temporary mechanism push the cleartext password between
> components (memory/pipe/TLS channel).  Keeping the ALL passwords in
> cleartext is an unnecessary risk, any plans to move away from this?
>
> Camilo
>
> From: midPoint <midpoint-bounces at lists.evolveum.com
> <mailto:midpoint-bounces at lists.evolveum.com>> on behalf of Devin
> Rosenbauer <devin at identityworksllc.com <mailto:devin at identityworksllc.com>>
> Reply-To: midPoint General Discussion <midpoint at lists.evolveum.com
> <mailto:midpoint at lists.evolveum.com>>
> Date: Friday, April 1, 2016 at 9:51 AM
> To: midPoint General Discussion <midpoint at lists.evolveum.com
> <mailto:midpoint at lists.evolveum.com>>
> Subject: Re: [midPoint] Storing passwords in Midpoint
>
> Typically an identity manager needs access to the user's password in
> cleartext so that it can be set on other systems, e.g. setting the
> user's initial password on a new account, etc.
>
> On Fri, Apr 1, 2016 at 12:45 PM, Florin. Stingaciu
> <fstingaciu at mirantis.com <mailto:fstingaciu at mirantis.com>> wrote:
>
>     Hello,
>
>      From my understanding passwords in Midpoint are encrypted using an
>     256-bit AES key and then stored in the Midpoint DB. I was wondering
>     if there is any sort of hash applied to password before it's
>     encrypted. If not, is there a purpose for having access to the clear
>     text password?
>
>     Thanks,
>     -F
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>     <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=BQMFAg&c=8hUWFZcy2Z-Za5rBPlktOQ&r=27ncT_faFWXRj9rIY55q_hC_iWhz4huZX2nJ7FaVEmM&m=d-pZoQ6yIAaGuJlmgDcQNZccb30COVnHqDVvhi9s30c&s=wVXeuqfkQlN2L9tbKgE9eHixk7r1AtlCrkHF7NvtL1I&e=>
>
>
>
>
> --
> Devin Rosenbauer
> Principal Consultant
> Identity Works LLC
> +1 585 210 3201
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>



More information about the midPoint mailing list