[midPoint] Construct Password for SASL Pass Through

Brad Firestone bhotrock at gmail.com
Fri May 5 21:55:23 CEST 2017


I thought I might add an explanation of why I am doing this.  There may 
be a better or different way of accomplishing the same thing.

We are pulling users into midPoint from several different authoritative 
resources, both OpenLDAP and Active Directory.  Then we need to 
provision accounts on various other resources, including OpenLDAP.

Since it appears there's not any way to get passwords directly from AD, 
we're looking for a way to get the AD passwords replicated into an 
OpenLDAP resource.  I couldn't find a good way to do that, so decided to 
try SASL Pass Through.

If anyone has suggestions on how to get the AD passwords into OpenLDAP, 
that would be great and solve my problem.  This particular group of 
users will NOT need access to midPoint, so I don't really need the 
password in midPoint.

Thanks!
Brad
> Hi All,
>
> I have one certain group of users that will be provisioned on an 
> OpenLDAP resource.  This group of users needs to use SASL Pass Through 
> to Active Directory, so the password stored in OpenLDAP userPassword 
> attribute will be in the format of:
> {SASL}user at example.com
> Here's some information about SASL Pass Through: 
> https://ltb-project.org/documentation/general/sasl_delegation
>
> I have this configured and working, if I enter the password directly 
> into OpenLDAP.  But I need to have midPoint enter this value 
> automatically.
>
> I can easily construct this value using Groovy, but because it's a 
> "password", I can't seem to work with it in midPoint like other 
> attributes.  Here are the things I've tried:
>
> 1.  Tried to generate it using an outbound expression in <credentials> 
> for the OpenLDAP resource.
> <credentials>
> <password>
> <outbound>
> <source>
> <path>$user/name</path>
> </source>
> <expression>
> <script>
> <code>'{SASL}' + name</code>
> </script>
> </expression>
> </outbound>
> </password>
> </credentials>
>
> This doesn't throw any errors, but I don't know if it's really 
> generating the right value, because when it stores the password on the 
> resource, it hashes it, like normal.  And the pass through function 
> doesn't work.
>
> 2.  I tried to bypass the password hashing function by generating the 
> needed value in the User Template, and storing it in midPoint 
> $user/costCenter.  I then tried to use outbound mapping in a Role to 
> map $user/costCenter to ri:userPassword.  That gave an error of:
> Attribute 
> {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}userPassword 
> not found in schema for account type default, resource: Account 
> Testing OpenLDAP (OID:d0811790-1d80-11e4-86b2-3c970e467874) as 
> definied in role: HQ-User (OID:880f1186-2f77-11e7-93c2-bfabd497cae2).
> userPassword is the attribute used in the OpenLDAP resource, but I'm 
> guessing it's not treated like other attributes.
>
> Is there anyway to pass a "plain text" value to a resource 
> userPassword attribute?  If so, then I will need to do this for only 
> ONE set of users.  The rest of the user accounts on that resource need 
> to be handled in a normal way.
>
> Thanks for any suggestions!
> Brad

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170505/3911b613/attachment.htm>


More information about the midPoint mailing list