[midPoint] Sync from multiple directories into one global

Radovan Semancik radovan.semancik at evolveum.com
Thu Oct 13 11:48:13 CEST 2016 

Hi,

As far as I know OpenLDAP will produce hashes in salted-SHA form, e.g. 
{SSHA}xxxxxxxxxx ... or maybe with a different algorithm (depends on 
settings), but similar format. I do not have any special experience with 
ApacheDS deployment and settings in this area. But my guess would be 
that ApacheDS can work with hashes like that. However, this is just a 
guess. I would recommend checking that in your testing ApacheDS 
deployment. It should be quite easy. Or you can try ApacheDS mailing list.

-- 
Radovan Semancik
Software Architect
evolveum.com



On 10/13/2016 11:29 AM, Patrick Brunmayr wrote:
>
> Thank you that helped a lot. I was expecting some kind of answer 
> regarding the different password hadling in LDAP implementations. My 
> primary LDAP is OpenLDAP and i want to transfert it to an ApacheDS.
>
>
> Am 13.10.2016 um 11:19 schrieb Radovan Semancik:
>> Hi,
>>
>> Yes and maybe.
>>
>> Yes, midPoint can sync almost anything with almost anything else, it 
>> just a matter of connector. We have good LDAP connector. So if your 
>> LDAP servers are at least a tiny bit reasonable you should be able to 
>> do that synchronization. Even including things like DN rewriting and 
>> value transformations. And you can keep those LDAP servers in sync 
>> for a long time. That's what midPoint is built for.
>>
>> But when it comes to passwords the answer is "maybe". It may work or 
>> it might not. All the LDAP servers that I have seen store the 
>> passwords in a hashed forms. That hash is for all practical purposes 
>> irreversible. While it is usually quite easy to read the hashed 
>> value, some servers might have trouble storing the hashed values 
>> (instead of cleartext password). Some servers require special 
>> settings or privilege, other may not be able to do it at all. You 
>> have to check that with your LDAP server. Also the hashing schemes 
>> are only de-facto agreement implemented by some servers, it is not a 
>> real standard. So the hashing in your old LDAP a new LDAP might not 
>> be compatible. And then there is a small chance of some potential 
>> issues in our LDAP connector and/or midPoint. We have done something 
>> similar in the past. But it was a different LDAP connector then. We 
>> haven't tested this with the new LDAP connector so there may be some 
>> bugs. But I'm quite confident that we can easily fix any bugs there 
>> if needed. There may be also some tricks that we have to use, so 
>> midPoint will not interpret the hash as a password cleartext and it 
>> won't try to hash it again. But I believe this is possible to do if 
>> the hash is stored in a custom property. Or by using some similar trick.
>>
>> So, given that your LDAP servers are OK then I'm quite confident that 
>> midPoint can do this.
>>
>> -- 
>> Radovan Semancik
>> Software Architect
>> evolveum.com
>>
>>
>> On 10/06/2016 11:10 AM, Patrick Brunmayr wrote:
>>>
>>> Hello
>>>
>>> We have multiple departments in our company each owing its own LDAP 
>>> Tree with accounts. We want to use midpoint as a global IDM and 
>>> merge them together
>>> into one big LDAP Tree. So my question is can we sync data from 
>>> multiple directories into one big directory ? This directory should 
>>> be used for SSO so bacically
>>> passwords should be synced too!
>>>
>>> Thank you; Jay
>>>
>>>
>>> LINZ AG für Energie, Telekommunikation, Verkehr und Kommunale Dienste
>>> A-4021 Linz, Wiener Straße 151, Postfach 1300, Tel. +43/732/3400-0, 
>>> E-Mail: info at linzag.at
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> -- 
>
> *Patrick Brunmayr*
>
> *LINZ AG TELEKOM*
> Infrastruktur & Netzwerktechnik
>
> Internet Services
>
> Die LINZ AG TELEKOM ist ein Geschäftsbereich der LINZ STROM GmbH
> für Energieerzeugung, -handel, -dienstleistungen und Telekommunikation.
>
> 4021 Linz,  Wiener Straße 151, Austria
> Tel.:        +43(0)732/3400-5639
> Fax:        +43(0)732/3400-155639
> E-Mail: _p.brunmayr at linzag.at <mailto:p.brunmayr at linzag.at>_
> Internet: www.linzag-telekom.at <http://www.linzag-telekom.at>
>
> FN 199533 g des Landesgerichtes Linz
>
> Zertifiziert nach:
>
> EN ISO   9001 Qualitätsmanagement (QM)
>
> OHSAS 18001 Arbeitsschutzmanagementsystem
>
> ISO/IEC 27001 Informationssicherheits-Managementsystem (ISMS)
>
> LINZ AG für Energie, Telekommunikation, Verkehr und Kommunale Dienste
> A-4021 Linz, Wiener Straße 151, Postfach 1300, Tel. +43/732/3400-0, 
> E-Mail: info at linzag.at
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161013/79a17e39/attachment.htm>

More information about the midPoint mailing list