[midPoint] LDAP connector seems to hide userPassword attribute
Pascal PÉRICHON
pascal.perichon at u-paris.fr
Thu Jun 3 12:32:36 CEST 2021
Hi,
We use openLDAP and the LDAP connector in midpoint 4.0.1. midPoint is
configured to store hashed password (PBKDF2WithHmacSHA512)
In openLDAP we use PBKDF2WithHmacSHA512 to store our hashed password.
The midPoint LDAP connector seems to hide the attribute userPassword
(from any class person, organization or organizationalUnit).
is it right ?
If yes, how can we map userPassword in a midPoint resource ?
The context :
- midpoint can send passwords to LDAP in clear text, in a hash MD5,
SMD5, SHA-1 or SSHA-1 (and not PBKDF2WithHmacSHA512). We understand the
technical limitation.
- midPoint seems to send password/hash to LDAP only when the user modify
his password in the "activation/credential" mapping (we want to recreate
ldap accounts from scratch with hashed passwords stored in midPoint)
- PBKDF2 for OpenLDAP library use an "original" message format for
userPassword attribute, with "Adapted Base64" (without padding and with
"." instead of "+")
- we don't want to use the LDAP server to hash passwords (maybe it's
more easy to bring back the hash in midpoint?)
- we don't want to use midPoint to check password for the LDAP
Thanks a lot
More information about the midPoint
mailing list