[midPoint] Construct Password for SASL Pass Through
Brad Firestone
bhotrock at gmail.com
Fri May 5 21:44:38 CEST 2017
Hi All,
I have one certain group of users that will be provisioned on an
OpenLDAP resource. This group of users needs to use SASL Pass Through
to Active Directory, so the password stored in OpenLDAP userPassword
attribute will be in the format of:
{SASL}user at example.com
Here's some information about SASL Pass Through:
https://ltb-project.org/documentation/general/sasl_delegation
I have this configured and working, if I enter the password directly
into OpenLDAP. But I need to have midPoint enter this value automatically.
I can easily construct this value using Groovy, but because it's a
"password", I can't seem to work with it in midPoint like other
attributes. Here are the things I've tried:
1. Tried to generate it using an outbound expression in <credentials>
for the OpenLDAP resource.
<credentials>
<password>
<outbound>
<source>
<path>$user/name</path>
</source>
<expression>
<script>
<code>'{SASL}' + name</code>
</script>
</expression>
</outbound>
</password>
</credentials>
This doesn't throw any errors, but I don't know if it's really
generating the right value, because when it stores the password on the
resource, it hashes it, like normal. And the pass through function
doesn't work.
2. I tried to bypass the password hashing function by generating the
needed value in the User Template, and storing it in midPoint
$user/costCenter. I then tried to use outbound mapping in a Role to map
$user/costCenter to ri:userPassword. That gave an error of:
Attribute
{http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}userPassword
not found in schema for account type default, resource: Account Testing
OpenLDAP (OID:d0811790-1d80-11e4-86b2-3c970e467874) as definied in role:
HQ-User (OID:880f1186-2f77-11e7-93c2-bfabd497cae2).
userPassword is the attribute used in the OpenLDAP resource, but I'm
guessing it's not treated like other attributes.
Is there anyway to pass a "plain text" value to a resource userPassword
attribute? If so, then I will need to do this for only ONE set of
users. The rest of the user accounts on that resource need to be
handled in a normal way.
Thanks for any suggestions!
Brad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170505/5232225d/attachment.htm>
More information about the midPoint
mailing list