[midPoint] Sync from multiple directories into one global

Radovan Semancik radovan.semancik at evolveum.com
Thu Oct 13 11:19:33 CEST 2016 

Hi,

Yes and maybe.

Yes, midPoint can sync almost anything with almost anything else, it 
just a matter of connector. We have good LDAP connector. So if your LDAP 
servers are at least a tiny bit reasonable you should be able to do that 
synchronization. Even including things like DN rewriting and value 
transformations. And you can keep those LDAP servers in sync for a long 
time. That's what midPoint is built for.

But when it comes to passwords the answer is "maybe". It may work or it 
might not. All the LDAP servers that I have seen store the passwords in 
a hashed forms. That hash is for all practical purposes irreversible. 
While it is usually quite easy to read the hashed value, some servers 
might have trouble storing the hashed values (instead of cleartext 
password). Some servers require special settings or privilege, other may 
not be able to do it at all. You have to check that with your LDAP 
server. Also the hashing schemes are only de-facto agreement implemented 
by some servers, it is not a real standard. So the hashing in your old 
LDAP a new LDAP might not be compatible. And then there is a small 
chance of some potential issues in our LDAP connector and/or midPoint. 
We have done something similar in the past. But it was a different LDAP 
connector then. We haven't tested this with the new LDAP connector so 
there may be some bugs. But I'm quite confident that we can easily fix 
any bugs there if needed. There may be also some tricks that we have to 
use, so midPoint will not interpret the hash as a password cleartext and 
it won't try to hash it again. But I believe this is possible to do if 
the hash is stored in a custom property. Or by using some similar trick.

So, given that your LDAP servers are OK then I'm quite confident that 
midPoint can do this.

-- 
Radovan Semancik
Software Architect
evolveum.com



On 10/06/2016 11:10 AM, Patrick Brunmayr wrote:
>
> Hello
>
> We have multiple departments in our company each owing its own LDAP 
> Tree with accounts. We want to use midpoint as a global IDM and merge 
> them together
> into one big LDAP Tree. So my question is can we sync data from 
> multiple directories into one big directory ? This directory should be 
> used for SSO so bacically
> passwords should be synced too!
>
> Thank you; Jay
>
>
> LINZ AG für Energie, Telekommunikation, Verkehr und Kommunale Dienste
> A-4021 Linz, Wiener Straße 151, Postfach 1300, Tel. +43/732/3400-0, 
> E-Mail: info at linzag.at
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161013/56c51af8/attachment.htm>

More information about the midPoint mailing list