<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi Jason,<br>
<br>
as Pavol has pointed out, the behaviour of the password is a bit
tricky, as midPoint does not have the original value and would send
the repository value to AD, which is probably not what you wish to
do while reconciling, if AD passwords are set and reset in AD, not
through midPoint.<br>
<br>
The channel trick should work for you, if you can say in which
channel(s) you wish to use the mapping (or the opposite: the
channel(s), in which you don't wich to use the mapping). In my
experience, the list of channels can be different during the initial
setup and after. E.g. if you leave only LiveSync channel through the
password outbound mapping, it should be OK for almost all
situations. But if some AD accounts get accidentaly deleted and you
would like midPoint to recreate, I doubt the password will be set
correctly, because reconciliation or GUI use different channels as
LiveSync.<br>
<br>
So, either use the <channel> restriction, or comment the whole
mapping during the reconciliation (which is what I do, as a paranoid
setting, which is fine for me, but off course nobody is able to send
the password to AD when I'm playing :) ).<br>
<br>
The channel limitation for LiveSync and maybe for GUI (to allow
password change when requested from GUI) is probably a good start,
but just like Pavol I recommend you to try this out.<br>
<br>
An <i>example</i> from one of my projects (this is not AD, but it
does not matter) to allow password changes during initial import,
during LiveSync and from GUI:<br>
<br>
<credentials><br>
<password><br>
<outbound><br>
<description>Do not change
passwords unless using GUI or import (initial) or LiveSync from
OpenLDAP through midPoint</description><br>
<channel><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#import">http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#import</a></channel><br>
<channel><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user">http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</a></channel><br>
<channel><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#liveSync">http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#liveSync</a></channel><br>
<expression><br>
<asIs/><br>
</expression><br>
</outbound><br>
</password><br>
</credentials><br>
<br>
Regards,<br>
Ivan<br>
<br>
<div class="moz-cite-prefix">On 07/04/2015 03:39 PM, Pavol Mederly
wrote:<br>
</div>
<blockquote cite="mid:5597E1FD.6030203@evolveum.com" type="cite">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<div class="moz-cite-prefix">Hello Jason,<br>
<br>
mapping strength influences how the mapping is applied, either
during normal operation or during reconciliation.<br>
I'm sure you have already seen this: <a moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Mapping#Mapping-MappingStrength">https://wiki.evolveum.com/display/midPoint/Mapping#Mapping-MappingStrength</a><br>
<br>
In your case, I assume the outbound mapping for password is
specified with strength of "normal" (the default) or "weak".<br>
According to the documentation, both are used if the target
attribute does not have any value.<br>
<br>
So far so good. But in AD the password always has no value,
because the AD clients are not allowed to retrieve it (for
obvious reasons).<br>
So I'm almost sure that the AD password would get overwritten by
the one stored in the repository.<br>
<br>
This is what the theory says. Maybe Ivan (or anyone with
practical experiences in this respect) would correct me.<br>
<br>
Back to your case; it is possible to enable/disable a mapping
for example depending on a channel that caused the mapping to
fire.<br>
See the <channel> element directly under <mapping>.
In your case, you could try to include a limitation to LiveSync
channel, with<br>
an assumption that changes from your CSV file would come through
LiveSync. But please try in the test environment before<br>
using this advice :)<br>
<br>
Best regards and nice weekend!<br>
Pavol<br>
<br>
<br>
On 3. 7. 2015 21:06, Jason Everling wrote:<br>
</div>
<blockquote
cite="mid:CAFkZXY5PYgTidoUtgrV=eZ0HGVMUrptXJqa67vq-y=C1rbbs+Q@mail.gmail.com"
type="cite">
<div dir="ltr">I just wanted to confirm, before I un-comment
outbound credentials for my AD resource,
<div><br>
</div>
<div>The only time a password is sent outbound is when the
password in midPoint is changed correct?</div>
<div><br>
</div>
<div>I need to run a reconcile against AD after making a few
changes but I wanted to make sure that this will not send
out passwords for all users? I am correct in assuming not?</div>
<div><br>
</div>
<div>Users in midPoint will authenticate via CAS, the outbound
password mapping is for when a user is created from CSV and
a password is generated.</div>
<div><br>
</div>
<div>JASON</div>
</div>
<br>
<font size="2"><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is proprietary and
confidential; intended for only the recipient(s) named above
and may contain information that is privileged. You should not
retain, copy or use this e-mail or any attachments for any
purpose, or disclose all or any part of the contents to any
person. Any views or opinions expressed in this e-mail are
those of the author and do not represent those of the Baptist
School of Health Professions. If you have received this e-mail
in error, or are not the named recipient(s), you are hereby
notified that any review, dissemination, distribution or
copying of this communication is prohibited by the sender and
to do so might constitute a violation of the Electronic
Communications Privacy Act, 18 U.S.C. section 2510-2521.
Please immediately notify the sender and delete this e-mail
and any attachments from your computer. </font><br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</body>
</html>