<div dir="ltr">Hey Radovan, <div><br></div><div>So I managed to resolve the "Old Password" input field on the credentials page, however the password propagation for the midPoint repository resource is enabled by default. Is there anyway to specify one particular resource to be enabled by default? We want to avoid storing any passwords on the midPoint DB at all costs. </div><div><br></div><div>In total we have three repositories. One for the midPOint repository, an LDAP server (which is where we want to change passwords by default) and lastly there's a read only Active Directory. Is there any way (either via security policies, or the authorization model) to only show and allow password changes on the LDAP server?</div><div><br></div><div>Thanks, </div><div>-F </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jul 18, 2016 at 12:53 AM, Radovan Semancik <span dir="ltr"><<a href="mailto:radovan.semancik@evolveum.com" target="_blank">radovan.semancik@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hi,<span class=""><br>
<br>
On 07/15/2016 09:03 PM, Florin. Stingaciu wrote:<br>
</span></div><span class="">
<blockquote type="cite">
<div dir="ltr"><b>Users changing their password</b>
<div>When using SSO, users no longer have a password associated
with their midPoint account. However, we'd still like to allow
users to change their passwords for their accounts on a
resource. Unfortunately we can't utilize the Credentials page
as the page will request for your old password -- which
doesn't exist. Right now, I had to resort to using the
authorization rules to allow end users to modify their
password directly on the Projection. This process is not very
intuitive, especially when the user doesn't have a password
set up on the account at all (they have to click the "show
empty fields") </div>
<div><br>
</div>
<div>Ideally, the fact that SSO is enabled should generate a
different credentials page that lets you change your password
on an account of your choosing without asking for the old
password.</div>
</div>
</blockquote>
<br></span>
We already have setting for that: <br>
<br>
<a href="https://github.com/Evolveum/midpoint/blob/master/samples/objects/security-policy-password.xml" target="_blank">https://github.com/Evolveum/midpoint/blob/master/samples/objects/security-policy-password.xml</a><br>
<br>
see passwordChangeSecurity<br>
<br>
Unfortunately, it is currently documented only in the schema
(common-core-3.xsd).<span class=""><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><b>End Users </b></div>
<div>Another issue we found was that when a user tries to access
midPoint and doesn't have the End User role while SSO is in
place, the server spits back a 500 error. Ideally, an error
message should be generated letting the user know that he
lacks authorization to access the midPoint GUI. <br>
</div>
</div>
</blockquote>
<br></span>
Yes, it should be 401 and not 500. Please file a bug report for
that.<span class="HOEnZb"><font color="#888888"><br>
<br>
<pre cols="72">--
Radovan Semancik
Software Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</font></span></div>
<br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>