[midPoint] User initial password

Radovan Semancik radovan.semancik at evolveum.com
Fri Apr 15 10:09:29 CEST 2016 

I can explain the error.

Long, long time ago we have based midPoint data model on XML Schemas. 
There were many reasons for this, but the most important one was that 
XSD was (and still somehow is) one-eyed king among the blind. However, 
the XSD is not a perfect fit for what we need. And the XML and XSD 
libraries are even worse (read: absolutely terrible). So we had to make 
compromises. And in the end we have rewritten good part of 
XML-processing libraries for our purposes. We have created a new 
quasi-primitive types, such as the ProtectedString used for password 
storage. But due to the compromises that we have to make it is not 
properly detected in all the places. E.g. this specific place is a 
mapping. And for various complex reasons  the data types inside the 
<value> are not detected correctly and the value will not get encrypted 
during object import as it normally should.

So, currently, there is no practical way how to have encrypted default 
password in the XML and use it in the expression in mapping. So the hack 
with basic.encrypt(..) is probably the best way how to do this now.

This is not really a fault of midPoint architecture. This is the state 
of the art. The declarative data modeling and representation and code 
generation are big problems now. And no, JSON is not a solution. It does 
not make these things significantly better in any way (although we have 
plans to support JSON and we even have a prototype code).

We have a vision and a plan for this. The larger evolution on the 
"prism" and "schema" layers is planned for late 2017 to be part of 
midPoint 4. This should provide solution to this issue and a lot of 
related issues. It is just not that easy to implement. So we need more 
time to get ready and accumulate the funding.

In the meantime there may be some features that may somehow remedy this 
problem. E.g. use of constants or expression libraries (e.g. 
https://jira.evolveum.com/browse/MID-1327). We are planning these for a 
long time. But there does not seem to be sufficient demand for these 
things to find their way into the roadmap.

-- 
Radovan Semancik
Software Architect
evolveum.com



On 04/14/2016 04:27 PM, Aivo Kuhlberg wrote:
>
> How can I set initial password for midPoint 3.3.1 user when I import 
> them from csv-file. I tried to use something like that in
>
> schemaHandling section:
>
>     <credentials>
>         <password>
>             <inbound>
>                 <strength>weak</strength>
>                 <expression>
>                     <value>5ecr3t</value>
>                 </expression>
>             </inbound>
>         </password>
>     </credentials>
>
> but user import fails with following error:
> Failed to import: java.lang.IllegalStateException: Unencrypted value 
> in field 
> {http://midpoint.evolveum.com/xml/ns/public/common/common-3}value in 
> user:null(test.user5)
>
> Thanks,
> Aivo Kuhlberg
>
>
> ------------------------------------------------------------------------
> Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks 
> tunnistatud teavet.
> This e-mail may contain information which is classified for official use.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160415/8de95d83/attachment.htm>

More information about the midPoint mailing list