<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi,<br>
<br>
MidPoint has built-in "loopback protection" in the inbound part.
If an inbound expression would set the user property to the same
value that it already has then the operation should not be
propogated to the outbound part.<br>
<br>
Maybe the problem is that you are trying to encrypt/decrypt the
values in the script. That should not be necessary. MidPoint
should do that transparently. However if you try to this
explicitly in the script you may interfere with the way how values
are compared and the "loopback protection" may not work correctly.
I'm not sure that this is what really happens. It is just what
came to my mind when I was reading this.<br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com
</pre>
<br>
<br>
On 11/21/2016 01:23 PM, Menke, Christopher wrote:<br>
</div>
<blockquote
cite="mid:2D1AA534B2497B419FA30D66F842FA9BC72D1A23@UM-EXCDAG-A06.um.gwdg.de"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Univers Com 55";
panose-1:2 11 6 3 2 2 2 2 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Univers Com 55 \,sans-serif";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;
mso-fareast-language:EN-US;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Vorformatiert Zchn";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;
mso-fareast-language:DE;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;
mso-fareast-language:DE;}
span.E-MailFormatvorlage19
{mso-style-type:personal;
font-family:"Univers Com 55",sans-serif;
color:windowtext;}
span.HTMLVorformatiertZchn
{mso-style-name:"HTML Vorformatiert Zchn";
mso-style-priority:99;
mso-style-link:"HTML Vorformatiert";
font-family:Consolas;
color:black;
mso-fareast-language:EN-US;}
span.E-MailFormatvorlage22
{mso-style-type:personal-reply;
font-family:"Univers Com 55",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="font-family:"Univers Com
55",sans-serif;color:#1F497D">Dear Ivan,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Univers Com
55",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Univers Com
55",sans-serif;color:#1F497D" lang="EN-US">we used an
OpenLDAP Server and we want to synchronize real passwords
encrypted over this LDAP.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Univers Com
55",sans-serif;color:#1F497D" lang="EN-US">You can find
my configuration within the appendix.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Univers Com
55",sans-serif;color:#1F497D" lang="EN-US">In inbound I
decrypt an existing AES Password with an key from Keystore
and in outbound I want to send the encrypted string to LDAP.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Univers Com
55",sans-serif;color:#1F497D" lang="EN-US">Problem is
the live-sync. If I change the password in LDAP, midpoint
overwrites it directly and there is an endless loop.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Univers Com
55",sans-serif;color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Univers Com
55",sans-serif;color:#1F497D" lang="EN-US">Best
regards,<br>
Christopher<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Univers Com
55",sans-serif;color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="color:windowtext;mso-fareast-language:DE">Von:</span></b><span
style="color:windowtext;mso-fareast-language:DE">
midPoint [<a class="moz-txt-link-freetext" href="mailto:midpoint-bounces@lists.evolveum.com">mailto:midpoint-bounces@lists.evolveum.com</a>]
<b>Im Auftrag von </b>Ivan Noris<br>
<b>Gesendet:</b> Montag, 21. November 2016 12:01<br>
<b>An:</b> <a class="moz-txt-link-abbreviated" href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br>
<b>Betreff:</b> Re: [midPoint] Short question "password
sync"<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Hi Christopher,<span
style="font-size:12.0pt;mso-fareast-language:DE"><o:p></o:p></span></p>
<p>what is your setup? What LDAP server are you using and what's
the password algorithm/storage in the LDAP server? Are you
synchronizing real passwords from LDAP server to midPoint, or
generating random passwords in midPoint?<o:p></o:p></p>
<p>Can you also paste the corresponding mappings for
credentials/password (probably you have outbound as well as
inbound)?<o:p></o:p></p>
<p>Thanks,<o:p></o:p></p>
<p>Ivan<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 11/21/2016 11:41 AM, Menke,
Christopher wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-family:"Univers
Com 55 ,sans-serif",serif">Dear all,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Univers
Com 55 ,sans-serif",serif"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Univers
Com 55 ,sans-serif",serif" lang="EN-US">we want to
sync an encrypted password between midpoint and a second
system (LDAP).</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Univers
Com 55 ,sans-serif",serif" lang="EN-US">If we change
the password within the LDAP (live-sync), midpoint
encrypts the password (Groovy Script) and overwrites the
internal password.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Univers
Com 55 ,sans-serif",serif" lang="EN-US">But then
midpoint overwrites the password again in LDAP.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Univers
Com 55 ,sans-serif",serif" lang="EN-US">Is there a
loopback-protection to prevent that tasks coming from
LDAP-LiveSync overwrites the password again in LDAP?</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Univers
Com 55 ,sans-serif",serif" lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.5pt">Best
regards,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.5pt">Christopher</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:DE"><br>
<br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>midPoint mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:DE"><br>
<br>
<o:p></o:p></span></p>
<pre>-- <o:p></o:p></pre>
<pre>Ivan Noris<o:p></o:p></pre>
<pre>Senior Identity Engineer<o:p></o:p></pre>
<pre>evolveum.com<o:p></o:p></pre>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
</body>
</html>