[midPoint] Synchronizing Encrypted User Password

pdbogen at cernu.us pdbogen at cernu.us
Wed Sep 14 23:34:06 CEST 2016 

On Wed, Sep 14, 2016 at 11:37:44AM +0200, Radovan Semancik wrote:
> Hi Patrick,
> 
> On 09/14/2016 01:59 AM, pdbogen at cernu.us wrote:
> > I 100% understand the need for midpoint to be able to access plaintext user
> > passwords, and I want to make this possible; but without needing to actually
> > persiste the data on the Midpoint side.
> 
> This is currently not supported in midPoint implementation. It might be 
> possible, but it can a long and difficult road ...
> 
> I would absolutely love to implement a proper way how to do this. But 
> currently the midPoint team has other priorities. And that's quite 
> unlikely to change at least in the next 6-12 months. The only way how to 
> get this implemented in a near future is to do it yourself or to use 
> subscription or sponsoring: 
> https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature
> If you could secure some funding for this feature it should be still 
> possible to change our priorities.

Understood. A small sponsorship _may_ be possible, but I'm sure I'll need a 
functional system to make any kind of case for it. In the mean time, I might 
be able to make some small code contributions if I find an opportunity.

Either way, I'm not expecting any changes in Midpoint to accomodate my 
admittedly unusual deployment, just the occasional bit of advice.

> > Therefore I'd like to sync it to LDAP. I've amended our custom schema to
> > include a very restricted `encryptedPassword` field, and I'd like to sync the
> > midpoint-encrypted password there.
> >
> > I'm having a little bit of trouble accomplishing this, however. It is not
> > clear to me how I can reliably obtain a serializable value from
> > $user/credentials/password/value.
> >
> > I was hoping to use getClearValue(), but that seems to usually be null (see
> > also MID-3399). It seems non-trivial to get the serializable encrypted value,
> > which is a three-member class. I suppose I could create three fields, but I'd
> > rather at least serialize it as JSON or something; but the groovy environment
> > doesn't seem to have JSON support, as far as I can tell.
> 
> I'm not entirely sure that I understand what are you looking for. 

This may be where I was overthinking it- I want to store the midpoint 
encrypted password in LDAP, so on initial synchronization, when I create users 
from LDAP accounts, those users will already have midpoint passwords set. I 
did not, however, want to store the password in LDAP unencrypted.

> $user/credentials/password/value is ProtectedString. And that is 
> serializable. So if you define your encryptedPassword as 
> ProtectedStringType then all you need is to copy the whole 
> $user/credentials/password/value.

Here's the error I get when I just do a plain:

      <attribute>
        <ref>ri:encryptedPassword</ref>
        <outbound><source><path>$user/credentials/password/value</path></source></outbound>
        <inbound><target><path>$user/credentials/password/value</path></target></inbound>
      </attribute>

Upon attempting to change a User password:

    java.lang.IllegalArgumentException: Expected class [B type, but got class java.lang.String in outbound mapping for {.../resource/instance-3}encryptedPassword in resource:2a7c7130-7a34-11e4-bdf6-001e8c717e5b(OpenLDAP)

So either the whole `value` is a String but that field requires a byte array; 
or vice versa.

Thanks!
-- 
             .
Patrick Bogen .
            ...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160914/d0ae4e57/attachment.sig>

More information about the midPoint mailing list