[midPoint] How to set AD password from Midpoint?

Alcides Carlos de Moraes Neto alcides.neto at gmail.com
Thu Jan 18 19:02:59 CET 2018


Forgot to reply to this, I got it working with the credentials tag, thanks!
I had to use the explicit fetchStrategy, or it wouldn't work.

 I generated the password instead of replicating from Midpoint, like this:

         <credentials>
            <password>
               <fetchStrategy>explicit</fetchStrategy>
               <outbound>
                  <authoritative>false</authoritative>
                  <exclusive>false</exclusive>
                  <strength>weak</strength>
                  <expression>
                     <generate xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
                               xsi:type="c:GenerateExpressionEvaluatorType">
                        <valuePolicyRef
oid="00000000-0000-0000-0000-000000000003"/>
                     </generate>
                  </expression>
               </outbound>
            </password>
         </credentials>

2018-01-04 6:11 GMT-02:00 Petr Gašparík - AMI Praha a.s. <
petr.gasparik at ami.cz>:

> Hi, as Oleksandr says, AD disallows manipulating with userPassword
> directly. Instead, credential tag is used.
> Also, SSL is a must.
>
> in general. WILL_NOT_PERFORM is almost always wrongly set password - in
> our cases mostly policy violation (weak or no/bad set password)
>
> Petr
>
> --
>
> s pozdravem
>
> Petr Gašparík
> solution architect
>
> gsm: [+420] 603 523 860 <+420%20603%20523%20860>
> e-mail: petr.gasparik at ami.cz
>
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239 <+420%20274%20783%20239>
> web: www.ami.cz
>
>
> [image: AMI Praha a.s.]
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
> písemnou formu.
>
>
> 2018-01-04 8:39 GMT+01:00 Oleksandr Nekriach <o.nekriach at dynatech.lv>:
>
>> Hello,
>> It is strange I was sure that problem is in SSL.
>> See
>> Known Causes
>> - This is caused when you don't use SSL in your LDAP connection and AD
>> enforces SSL connection.
>> - There are password policies in the AD environment
>>
>> In my Midpoint instance I don't use "direct" outbound  mapping for
>> userPassword.
>> Instead, I use
>>
>>        <credentials>
>>             <password>
>>                <outbound>
>>                   <expression>
>>                      <asIs xsi:type="c:AsIsExpressionEvaluatorType"/>
>>                   </expression>
>>                </outbound>
>>             </password>
>>          </credentials>
>>
>> On 4 January 2018 at 02:00, Alcides Carlos de Moraes Neto
>> <alcides.neto at gmail.com> wrote:
>> > Hello,
>> >
>> > Yes, I'm using ldaps.
>> >
>> > 2018-01-02 5:16 GMT-02:00 Oleksandr Nekriach <o.nekriach at dynatech.lv>:
>> >>
>> >> Happy new year!
>> >> Hi Alcides,
>> >> Do you use secure communication for AD connection (ldaps) or not?
>> >> Some AD settings does not allow to manage password via open
>> >> communications.
>> >> I had similar issue few years ago with Oracle connector ;)
>> >>
>> >> Regards, Oleksandr
>> >>
>> >>
>> >> On 28 December 2017 at 21:30, Alcides Carlos de Moraes Neto
>> >> <alcides.neto at gmail.com> wrote:
>> >> > Hello list,
>> >> >
>> >> > I'm trying to create AD users from Midpoint. I'm getting the 53
>> >> > WILL_NOT_PERFORM error, which it seems to be related to the password
>> >> > policy.
>> >> > The AD I'm using does have a password policy.
>> >> >
>> >> > So I'm trying to set some literal, strong password as a placeholder,
>> but
>> >> > I
>> >> > don't think my mapping is working. How should I configure it? I
>> cannot
>> >> > find
>> >> > any examples. Below are the error I get and the password outbound
>> >> > mapping.
>> >> >
>> >> > com.evolveum.midpoint.util.exception.SystemException: Got unexpected
>> >> > exception:
>> >> >
>> >> > org.identityconnectors.framework.common.exceptions.Permissio
>> nDeniedException:
>> >> > Error adding LDAP entry CN=JOHN DOE,OU=Users,DC=midpoint,DC=local:
>> >> > unwillingToPerform: 0000052D: SvcErr: DSID-031A12D2, problem 5003
>> >> > (WILL_NOT_PERFORM), data 0?? (53)
>> >> >
>> >> > <attribute>
>> >> >             <c:ref>ri:userPassword</c:ref>
>> >> >             <tolerant>true</tolerant>
>> >> >             <exclusiveStrong>false</exclusiveStrong>
>> >> >             <fetchStrategy>explicit</fetchStrategy>
>> >> >             <outbound>
>> >> >                <authoritative>true</authoritative>
>> >> >                <exclusive>false</exclusive>
>> >> >                <strength>normal</strength>
>> >> >                <expression>
>> >> >                   <value>Midpoint2018*</value>
>> >> >                </expression>
>> >> >             </outbound>
>> >> > </attribute>
>> >> >
>> >> >
>> >> > Thanks and happy new year to all =)
>> >> >
>> >> > _______________________________________________
>> >> > midPoint mailing list
>> >> > midPoint at lists.evolveum.com
>> >> > http://lists.evolveum.com/mailman/listinfo/midpoint
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Best regards,
>> >>
>> >> Oleksandr Nekriach | Identity and access management engineer
>> >>
>> >> Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia
>> >>
>> >> +37125314685
>> >> ,
>> >> o.nekriach at dynatech.lv
>> >> |
>> >> www.dynatech.lv
>> >>
>> >>
>> >>
>> >>
>> >> Stay connected:
>> >>
>> >>
>> >> Confidentiality Notice: This message contains confidential information
>> >> and is intended only for the named recipient(s). If you are not the
>> >> addressee you may not copy, distribute or perform any other activities
>> >> with this information. If you have received this transmission in
>> >> error, please notify us by e-mail immediately. E-mail transmission
>> >> cannot be guaranteed to be secure or error-free as information could
>> >> be intercepted, corrupted, lost, destroyed, arrive late or incomplete,
>> >> or contain viruses.
>> >> _______________________________________________
>> >> midPoint mailing list
>> >> midPoint at lists.evolveum.com
>> >> http://lists.evolveum.com/mailman/listinfo/midpoint
>> >
>> >
>> >
>> > _______________________________________________
>> > midPoint mailing list
>> > midPoint at lists.evolveum.com
>> > http://lists.evolveum.com/mailman/listinfo/midpoint
>> >
>>
>>
>>
>> --
>> Best regards,
>>
>> Oleksandr Nekriach | Identity and access management engineer
>>
>> Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia
>>
>> +37125314685
>> ,
>> o.nekriach at dynatech.lv
>> |
>> www.dynatech.lv
>>
>>
>>
>>
>> Stay connected:
>>
>>
>> Confidentiality Notice: This message contains confidential information
>> and is intended only for the named recipient(s). If you are not the
>> addressee you may not copy, distribute or perform any other activities
>> with this information. If you have received this transmission in
>> error, please notify us by e-mail immediately. E-mail transmission
>> cannot be guaranteed to be secure or error-free as information could
>> be intercepted, corrupted, lost, destroyed, arrive late or incomplete,
>> or contain viruses.
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180118/f0933296/attachment.htm>


More information about the midPoint mailing list