[midPoint] Self Credentials Page - Old Password - Keycloak AND reset password for LDAP only
Markus Calmius
markus.calmius at proton.ch
Wed Oct 23 13:26:10 CEST 2024
Hi,
referring to the documentation https://docs.evolveum.com/midpoint/reference/support-4.9/admin-gui/self-service/#credentials-page
it looks like I should be able to set:
propagationUserControl to an objectRef.
All my tests have failed though, anyone have an example?
setting it to "mapping" solved the issue with that the propagation dialog (it is removed).
If I can set the objectRef to LDAP, that would be better...
Markus Calmius
Proton AG
On Friday, 18 October 2024 at 12:00, midpoint-request at lists.evolveum.com <midpoint-request at lists.evolveum.com> wrote:
> Send midPoint mailing list submissions to
> midpoint at lists.evolveum.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.evolveum.com/mailman/listinfo/midpoint
> or, via email, send a message with subject or body 'help' to
> midpoint-request at lists.evolveum.com
>
> You can reach the person managing the list at
> midpoint-owner at lists.evolveum.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of midPoint digest..."
>
>
> Today's Topics:
>
> 1. Questions to UNIX Connector (Patrik Sidler)
> 2. Re: Self Credentials Page - Old Password - Keycloak AND reset
> password for LDAP only (gui config) (Markus Calmius)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 17 Oct 2024 11:49:32 +0000
> From: Patrik Sidler patrik.sidler at itconcepts.ch
>
> To: midPoint Mailinglist midpoint at lists.evolveum.com
>
> Subject: [midPoint] Questions to UNIX Connector
> Message-ID:
> GVAP278MB0231277D9C65D2100B9A062EEF472 at GVAP278MB0231.CHEP278.PROD.OUTLOOK.COM
>
>
> Content-Type: text/plain; charset="utf-8"
>
> Dear Community,
>
> I have some questions regarding the UNIX Connector.
> We have to connect a huge amount of Unix Systems to Create, Update and Delete User Accounts.
> midPoint will store the public SSH Key for every Identity and when a new Unix Account is created for an Identity, midpoint must deploy the SSH Key to the Users home directory.
> The SSH key must be updated on all connected systems whenever it changes.
>
> Is the Unix Connector still maintained?
> Do I have to create a connector for every single system?
> Is it possible to deploy the SSH keys to every Unix Account that I create?
>
> Thank you all in advance for your help.
>
> Regards
> Patrik
>
>
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: https://lists.evolveum.com/pipermail/midpoint/attachments/20241017/93938832/attachment-0001.htm
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 18 Oct 2024 08:41:36 +0000
> From: Markus Calmius markus.calmius at proton.ch
>
> To: midpoint at lists.evolveum.com
> Subject: Re: [midPoint] Self Credentials Page - Old Password -
> Keycloak AND reset password for LDAP only (gui config)
> Message-ID:
> brnn4oMcISM-IG08Be7YZgpqZlz_oWZWiia1QxBguAz_paPDSA7EsQSuJZ3h_vGzqYN3XCqS2Lmhvuy8S_P_mM2vH1jVkPH28WldP-5jyP0=@proton.ch
>
>
> Content-Type: text/plain; charset=utf-8
>
> Hi,
>
> thanks to João Paulo Ribeiro for the question regarding Keycloak and old password.
> That helped me moving forward with my question(s).
>
> I'm running 4.8(.0) and, it looks like the password hint cannot be removed until 4.8.1, is that correct?
>
> So, I only have one issue left to solve:
> How to specify that only specific resources are available for password resets.
>
>
>
> Markus Calmius
> Proton AG
>
>
>
>
> On Wednesday, 16 October 2024 at 12:00, midpoint-request at lists.evolveum.com midpoint-request at lists.evolveum.com wrote:
>
> > Send midPoint mailing list submissions to
> > midpoint at lists.evolveum.com
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > https://lists.evolveum.com/mailman/listinfo/midpoint
> > or, via email, send a message with subject or body 'help' to
> > midpoint-request at lists.evolveum.com
> >
> > You can reach the person managing the list at
> > midpoint-owner at lists.evolveum.com
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of midPoint digest..."
> >
> > Today's Topics:
> >
> > 1. reset password for LDAP only (gui config) (Markus Calmius)
> > 2. Self Credentials Page - Old Password - Keycloak
> > (João Paulo Ribeiro)
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Tue, 15 Oct 2024 14:17:25 +0000
> > From: Markus Calmius markus.calmius at proton.ch
> >
> > To: midPoint General Discussion midpoint at lists.evolveum.com
> >
> > Subject: [midPoint] reset password for LDAP only (gui config)
> > Message-ID:
> > yLBnWn-8W3-LXa9a7Jsb8hcHT1aQTeJdMrtvx7QIG7rufdi--KTb-ZatTAi4Pnys6wFeEPwTRDz18YILzq-gBZiCr0F28IkEDlxKQyX6USM=@proton.ch
> >
> > Content-Type: text/plain; charset="utf-8"
> >
> > Hi,
> >
> > we use OIDC/Keycloak to login to midPoint and many other webapps using passkeys/passwordless authentication.
> > Some systems or non webapps that do not support OIDC/SAML usually support LDAP though.
> >
> > I would like to configure the Credentials-page to only show the LDAP-resource.
> > Any tips on how to do that?
> >
> > Thanks in Advance,
> >
> > Markus
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: https://lists.evolveum.com/pipermail/midpoint/attachments/20241015/8707b398/attachment-0001.htm
> >
> > ------------------------------
> >
> > Message: 2
> > Date: Tue, 15 Oct 2024 15:28:25 -0300
> > From: João Paulo Ribeiro joparibeiro at gmail.com
> >
> > To: midpoint at lists.evolveum.com
> > Subject: [midPoint] Self Credentials Page - Old Password - Keycloak
> > Message-ID:
> > CAMP=YZwk8VL3hfM891jyk5+9NaubGYVyi1k0pCF_gPAYJ+SxfA at mail.gmail.com
> >
> > Content-Type: text/plain; charset="utf-8"
> >
> > Hello!
> >
> > I have a midPoint 4.8.4 + Keycloak scenario. I would like to know if there
> > is any configuration I can do so that while an end user is changing his/her
> > own password (in credentials self-service page), midpoint would prompt for
> > the old OIDC password instead of the old password from the midPoint
> > respository. I am using AD as user federation in Keycloak.
> >
> > I've set storageType=none in the security policy, but when I try to change
> > the own password by entering the old AD password in "Old Password" field,
> > midPoint says that the old password is incorrect.I think it is looking for
> > the old password in the repository, in m_object.fullobject, but obviously,
> > there is no password defined there, due to storageType=none.
> >
> > I could simply remove the "Old Password" field from the self-service
> > credentials UI (using passwordChangeSecurity=none in the security policy),
> > but for security reasons I think it's important that the end user to
> > provide the old password.
> >
> > Thanks in advance.
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: https://lists.evolveum.com/pipermail/midpoint/attachments/20241015/006af5a9/attachment-0001.htm
> >
> > ------------------------------
> >
> > Subject: Digest Footer
> >
> > _______________________________________________
> > midPoint mailing list
> > midPoint at lists.evolveum.com
> > https://lists.evolveum.com/mailman/listinfo/midpoint
> >
> > ------------------------------
> >
> > End of midPoint Digest, Vol 150, Issue 6
> > ****************************************
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> ------------------------------
>
> End of midPoint Digest, Vol 150, Issue 7
> ****************************************
More information about the midPoint
mailing list