[midPoint] midPoint does not recognize userPassword attribute in inetOrgPerson

Ivan Noris ivan.noris at evolveum.com
Wed Nov 23 13:08:03 CET 2022 

Hi Sven,

OK, so if I misunderstood the direction, the issue should be still the 
same. You should use inbound mapping for password/credentials. There is 
no userPassword attribute in schema AFAIK, connector (and Connid 
framework) handles this internally.

The question is if you can see the password at all (in OpenLDAP - 
because of permissions).

Last time I used this was a long time ago (in a galaxy far far away :) 
and that OpenLDAP stored password in clear text form (don't ask) and I 
used this mapping to import the password to midpoint:

<credentials>

     <password>

         <fetchStrategy>explicit</fetchStrategy>

         <inbound/> <!-- this will overwrite midPoint user password 
everytime! You may want to use weak strength -->

     </password>

</credentials>

That mapping allowed us to populate midPoint passwords from OpenLDAP. 
Which worked.

If you want to something else with the password, try to use 
<target>...</target> to specify where to store the password and 
<expression> which does - whatever you need.

If userPassword attribute is not in schema (because it is handled by 
connector in a special way), I'm afraid you cannot use it as additional 
source for your mapping.

Best regards,

Ivan

On 21. 11. 2022 13:52, Sven Feyerabend via midPoint wrote:
> Hello Ivan,
>
> thank you very much for the swift reply. I will keep that in mind when 
> I start on provisioning users from midPoint to LDAP.
>
> Unfortunately that is not a solution, that will work for me in my 
> current use case. Since the users are provisioned using a different 
> System at the moment, I need direct access to the attribute.
>
> The old system stores the activation information of the user in the 
> userPassword attribute, as well as the password hash.
>
> To correctly import all the users, I would need to "calculate" the 
> activation status from the raw value (base64 encoded string) stored in 
> userPassword.
>
> Is there a way to directly access this value in an inbound mapping?
>
> Thanks and kind regards
>
> Sven
>
> Am 21.11.22 um 12:42 schrieb Ivan Noris via midPoint:
>> Hi Sven,
>>
>> from what I remember, I only used outbound password mapping and 
>> that's all.
>>
>>             <credentials>
>>                 <password>
>>                     <outbound>
>>                         <expression>
>>                             <asIs/>
>>                         </expression>
>>                     </outbound>
>>                 </password>
>>             </credentials>
>>
>> Please see 
>> https://github.com/Evolveum/midpoint-samples/blob/master/samples/resources/openldap/openldap-localhost-medium.xml#L315
>>
>> This is a sample using inetOrgPerson.
>>
>> As far as I remember, we use this (after small additions) also in the 
>> trainings (based on 4.4.x) and it works for setting/changing LDAP 
>> passwords.
>>
>> Connector knows that LDAP supports password and will drive the change 
>> to userPassword attribute in LDAP.
>>
>> Best regards,
>>
>> Ivan
>>
>> On 20. 11. 2022 10:44, Sven Feyerabend via midPoint wrote:
>>> Hello everyone,
>>>
>>> I'm currently in the process of connecting midPoint (version 4.4.3) 
>>> to my old identity management solution.
>>> The user data is stored in an OpenLDAP instance, users are 
>>> represented using the inetOrgPerson objectClass as defined in RFC2798.
>>>
>>> I configured the server as a resource using the 
>>> com.evolveum.polygon.connector.ldap.LdapConnector and importing orgs 
>>> from organizational units did work as expected.
>>>
>>> When I defined the userPassword attribute for objectClass 
>>> inetOrgPerson in the schemaHandling section of my resource, I got 
>>> the following error:
>>>
>>> Definition of attribute userPassword not found in object class 
>>> {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}inetOrgPerson 
>>> as defined in definition of resource
>>>
>>>
>>> How can I get midPoint to work with this attribute?
>>> Is there some special configuration required?
>>>
>>> Thanks in advance and kind regards
>>>
>>> Sven
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
-- 
Ivan Noris
Expert Identity Engineer
evolveum.com

More information about the midPoint mailing list