<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi Christopher,</p>
<p>another thing is that you can limit mapping to be executed only
for specific channel (or all other than specific channel), so e.g.
the outbound mapping would not push password to OpenLDAP when it
comes from livesync.</p>
<p>Would be this a workaround/solution for you?</p>
<p>Also I remember the connector has configuration property
"modifiersNamesToFilterOut" - so if you configure this with DN of
the user midPoint is using for provisioning, the loop will not be
endless, because after midPoint modifies the password in OpenLDAP,
the change will be then ignored by livesync...</p>
<p>Regards,</p>
<p>Ivan<br>
</p>
<br>
<div class="moz-cite-prefix">On 11/21/2016 01:23 PM, Menke,
Christopher wrote:<br>
</div>
<blockquote
cite="mid:2D1AA534B2497B419FA30D66F842FA9BC72D1A23@UM-EXCDAG-A06.um.gwdg.de"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Univers Com 55";
panose-1:2 11 6 3 2 2 2 2 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Univers Com 55 \,sans-serif";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;
mso-fareast-language:EN-US;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Vorformatiert Zchn";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;
mso-fareast-language:DE;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;
mso-fareast-language:DE;}
span.E-MailFormatvorlage19
{mso-style-type:personal;
font-family:"Univers Com 55",sans-serif;
color:windowtext;}
span.HTMLVorformatiertZchn
{mso-style-name:"HTML Vorformatiert Zchn";
mso-style-priority:99;
mso-style-link:"HTML Vorformatiert";
font-family:Consolas;
color:black;
mso-fareast-language:EN-US;}
span.E-MailFormatvorlage22
{mso-style-type:personal-reply;
font-family:"Univers Com 55",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="font-family:"Univers Com
55",sans-serif;color:#1F497D">Dear Ivan,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Univers Com
55",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Univers Com
55",sans-serif;color:#1F497D" lang="EN-US">we used an
OpenLDAP Server and we want to synchronize real passwords
encrypted over this LDAP.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Univers Com
55",sans-serif;color:#1F497D" lang="EN-US">You can find
my configuration within the appendix.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Univers Com
55",sans-serif;color:#1F497D" lang="EN-US">In inbound I
decrypt an existing AES Password with an key from Keystore
and in outbound I want to send the encrypted string to LDAP.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Univers Com
55",sans-serif;color:#1F497D" lang="EN-US">Problem is
the live-sync. If I change the password in LDAP, midpoint
overwrites it directly and there is an endless loop.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Univers Com
55",sans-serif;color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Univers Com
55",sans-serif;color:#1F497D" lang="EN-US">Best
regards,<br>
Christopher<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Univers Com
55",sans-serif;color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="color:windowtext;mso-fareast-language:DE">Von:</span></b><span
style="color:windowtext;mso-fareast-language:DE">
midPoint [<a class="moz-txt-link-freetext" href="mailto:midpoint-bounces@lists.evolveum.com">mailto:midpoint-bounces@lists.evolveum.com</a>]
<b>Im Auftrag von </b>Ivan Noris<br>
<b>Gesendet:</b> Montag, 21. November 2016 12:01<br>
<b>An:</b> <a class="moz-txt-link-abbreviated" href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br>
<b>Betreff:</b> Re: [midPoint] Short question "password
sync"<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Hi Christopher,<span
style="font-size:12.0pt;mso-fareast-language:DE"><o:p></o:p></span></p>
<p>what is your setup? What LDAP server are you using and what's
the password algorithm/storage in the LDAP server? Are you
synchronizing real passwords from LDAP server to midPoint, or
generating random passwords in midPoint?<o:p></o:p></p>
<p>Can you also paste the corresponding mappings for
credentials/password (probably you have outbound as well as
inbound)?<o:p></o:p></p>
<p>Thanks,<o:p></o:p></p>
<p>Ivan<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 11/21/2016 11:41 AM, Menke,
Christopher wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-family:"Univers
Com 55 ,sans-serif",serif">Dear all,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Univers
Com 55 ,sans-serif",serif"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Univers
Com 55 ,sans-serif",serif" lang="EN-US">we want to
sync an encrypted password between midpoint and a second
system (LDAP).</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Univers
Com 55 ,sans-serif",serif" lang="EN-US">If we change
the password within the LDAP (live-sync), midpoint
encrypts the password (Groovy Script) and overwrites the
internal password.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Univers
Com 55 ,sans-serif",serif" lang="EN-US">But then
midpoint overwrites the password again in LDAP.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Univers
Com 55 ,sans-serif",serif" lang="EN-US">Is there a
loopback-protection to prevent that tasks coming from
LDAP-LiveSync overwrites the password again in LDAP?</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Univers
Com 55 ,sans-serif",serif" lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.5pt">Best
regards,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.5pt">Christopher</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:DE"><br>
<br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>midPoint mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:DE"><br>
<br>
<o:p></o:p></span></p>
<pre>-- <o:p></o:p></pre>
<pre>Ivan Noris<o:p></o:p></pre>
<pre>Senior Identity Engineer<o:p></o:p></pre>
<pre>evolveum.com<o:p></o:p></pre>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre>
</body>
</html>