[midPoint] Password Inbound from Database Table

Radovan Semancik radovan.semancik at evolveum.com
Fri Oct 7 19:21:57 CEST 2016 

Hi,

Maybe just a couple of clarifications:

Firstly, password is usually considered to be write-only by the ConnId 
connectors. This is the default setting that we have inherited from the 
Sun Microsystems. As we are quite keen about compatibility this setting 
was not changed in ConnId. Connectors can override this default setting. 
But only a very few connectors actually do that.

Secondly, the DatabaseTable connector is also inherited from Sun 
Microsystems. The connector is old and it is well ripe for rewrite. I 
would be happy to rewrite it personally. But we were not able to secure 
any funding for this rewrite yet. As far as I know we have never really 
tried to read passwords with this connector, so I'm not sure it is 
capable of reading passwords at all. But you can check by setting TRACE 
log level for org.identityconnectors.framework. That will turn on 
tracing of all connector operations and they you can see if the 
connector is sending password to midPoint or not.

-- 
Radovan Semancik
Software Architect
evolveum.com




On 10/07/2016 08:26 AM, Ivan Noris wrote:
>
> Hi Martin,
>
> I have not tried this with DB Table, but for OpenLDAP resource I'm 
> using the following:
>
> 1)
>
> ...
>
>          <credentials><!-- here in my example is no weak, I'm syncing 
> passwords everytime! -->
>             <password>
> *<fetchStrategy>explicit</fetchStrategy>**
> *               <inbound/>
>             </password>
>          </credentials>
> ...
>
> 2)
>
> ...
>
>    <capabilities>
>       <configured 
> xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3">
>
>          <cap:credentials>
> *            <cap:password>**
> **<cap:returnedByDefault>false</cap:returnedByDefault>**
> **            </cap:password>**
> *         </cap:credentials>
>       </configured>
> ...
>
> Could you please try if it helps?
>
> Regards,
>
> Ivan
>
> On 10/06/2016 10:55 PM, Martin Marchese wrote:
>> Hi All,
>>
>> We are using a Database table connector (using PostgreSQL 9.5) to 
>> create users into midpoint, and we are facing a problem while we try 
>> to set their password.
>>
>> Connector version is 1.4.2.0 and MidPoint version is 3.4.1
>>
>> We have configured a password policy that complies with all passwords 
>> within the database.
>>
>> Password column is configured correctly in the connector 
>> configuration. I was looking into the samples and I see that every 
>> samples uses the <generate> option as it follows:
>>
>> <credentials>
>> <password>
>> <outbound/>
>> <inbound>
>> <strength>weak</strength>
>> <expression>
>> <generate/>
>> </expression>
>> </inbound>
>> </password>
>> </credentials>
>>
>>
>> My first thought was that replacing the expression as it follows it 
>> will work:
>>
>> <credentials>
>> <password>
>> <outbound/>
>> <inbound>
>> <strength>weak</strength>
>> <expression>
>> <asIs/>
>> </expression>
>> </inbound>
>> </password>
>> </credentials>
>>
>> However, when I run an import or livesync task i receive the 
>> following error:
>>
>> Provided password does not satisfy password policies. Required 
>> minimal size (4) of password is not met (password length: 0)
>>
>> As if the password was not coming from the database. Also, when I 
>> look into the resource object thru the UI, the password attribute is 
>> empty.
>>
>> I took a look at this bug just in case: 
>> https://jira.evolveum.com/browse/MID-2405, but it was a different 
>> behavior since for me, it fails with every password I try.
>>
>> Any ideas on what I'm missing here?
>>
>> Thanks in advance.
>>
>> *Ing. Martín Marchese*
>> Identicum S.A.
>> Jorge Newbery 3226
>> Tel: +54 (11) 4552-3050
>> mmarchese at identicum.com <mailto:mmarchese at identicum.com>
>> www.identicum.com <http://www.identicum.com>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> -- 
> Ivan Noris
> Senior Identity Engineer
> evolveum.com
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161007/98486a89/attachment.htm>

More information about the midPoint mailing list