[midPoint] `Compare new password to current

Ivan Noris ivan.noris at evolveum.com
Tue Apr 17 10:18:38 CEST 2018 

Hi Esteban,

maybe there is a different approach. The credentials/password mapping
can have a channel restriction so that it will be evaluated for example
only when the password is being changed from GUI.

I have never seen the plugin. If you have the notifications turned on
(e.g. redirected to a file) you can see what is the channel as it is
printed into the notification.

Or another idea: you can check the actor variable in the mapping
condition. If the actor is "xxx" the password will not be pushed to AD
again.

One example of using actor (it's from object template):

        <condition>
                <script>
                        <code>(actor != null && actor?.name ==
user?.name)</code>
                </script> 
        </condition>

This was a condition to check if the actor (the user executing action)
is the same as the user (the user on which the action is executed).
Basically a dirty check if user is working in self-service.

Remember the actor variable is an object, so you need e.g. actor.name to
have the username. If the plugin is authenticating to midPoint using a
dedicated user, this might work. Like "actor != null && actor?.name ==
'dedicatedusername') ...

Regards,

Ivan


On 17.04.2018 00:04, Jeria, Esteban wrote:
> Hi,
>
> We have an Active Directory plugin synchronizing the password changes from AD to midPoint through SOAP services, but given that we also have an AD connector, any changes on midPoint is automatically sent back to the resource, creating an infinite loop.
> The solution seems to be to compare the current password to the new one and if they are the same just to ignore the change on midPoint. 
> So, what would be the best way to intercept this change, and what are the attributes to check?
>
> Esteban Jeria
> esteban.jeria at cgi.com
> Conseiller CGI / CGI Consultant
> Sécurité - Gestion des Identités et des Accès / Security - Identity and Access Management
> 514-415-3000 ext.1018296
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

More information about the midPoint mailing list