[midPoint] Set resource attribute pwdReset when password changed in Midpoint GUI by IDM admin
Frédéric Lohier
frederic at lohier.org
Wed Mar 31 16:13:12 CEST 2021
Hello ,
*I would like to set the Open LDAP attribute « pwdReset » only when the
user’s password attribute is modified in the Midpoint GUI by an IDM admin*.
I first came up with the following mapping conditionned by <channel>
http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user</channel>
(that’s a start, but not enough) and a <condition> which returns true only
if the $user/credentials/password/metadata contains
http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user.
This technically works but it seems that the metadata for the password
attribute is written *after* the mapping is applied so this does not work
as expected. Here is mapping for reference :
<attribute>
<ref>ri:pwdReset</ref>
<tolerant>false</tolerant>
<outbound>
<channel>
http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user</channel>
<strength>strong</strength>
<source>
<path>$user/credentials/password/metadata</path>
</source>
<expression>
<value>TRUE</value>
</expression>
<condition>
<script>
<code>
userchannel = "
http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user"
if (metadata?.modifyChannel == userchannel) {
return true
}
else {
return false
}
</code>
</script>
</condition>
</outbound>
</attribute>
The second solution I have thought of is to have two outbound mappings of
the password conditionned by channel, if channel=#user, then I set the
pwdReset attribute =TRUE in the resource.
My question is : *how can I set the resource attribute pwdReset in the
context of the password mapping?*
Here is the draft of the second mapping for reference :
<credentials>
<password>
<outbound>
<name>Password and pwdReset (to force the
password reset by user)</name>
<strength>strong</strength>
<channel>
http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user</channel>
<source>$projection/attributes/ri:pwdReset</
source>
<expression>
<script>
<code>
// If password modification comes from an
Midpoint admin (channel #user), then we set the Open LDAP pwdReset
attribute to TRUE (this will force the user to reset his password)
How to set ri:pwdReset to TRUE in LDAP
resource?
// Then we return the password value anyway
return input
</code>
</script>
</expression>
</outbound>
<outbound>
<name> Simple password mapping</name>
<description>We apply this mapping every time,
except if the modification is done on the Midpoint GUI (by an IDM admin)</
description>
<strength>strong</strength>
<exceptChannel>
http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user</
exceptChannel>
</outbound>
<inbound/>
</password>
</credentials>
-Frederic
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210331/244bedf5/attachment-0001.htm>
More information about the midPoint
mailing list