<html><body><div style="font-family: times new roman, new york, times, serif; font-size: 12pt; color: #000000"><div>Brad,<br></div><div><br></div><div>I once tried similar thing, which was not yet deployed into production with that customer. So you may try it, it might actually work.<br></div><div><br></div><div>In my case I wanted to take/decrypt midPoint password and hash it with (MD5 in my example, use something stronger :-) ) function and base64-encode. It looked like it works, but it was onyl deployed with my prototype (CSV or DB table; not real resource).<br></div><div><br></div><div> <credentials><br> <password><br> <outbound><br> <expression><br> <script><br> <code><br>import com.evolveum.midpoint.prism.crypto.Protector<br>import java.security.MessageDigest<br>import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType<br>import javax.xml.bind.DatatypeConverter<br><br>Protector protector = midpoint.@protector<br><br>MessageDigest md = MessageDigest.getInstance("MD5") // XXX SHA-2<br><br>log.info('midpoint protector = {}', midpoint.@protector)<br>if (input) {<br> clr = protector?.decryptString(input)<br> log.info("XXXXXXXXXXXXXXX input = {}, clr = {}", input, clr)<br><br>md.update(clr.getBytes("UTF-8"));<br>byte[] digest = md.digest()<br><br>base64 = '{MD5}' + DatatypeConverter.printBase64Binary(digest)<br>log.info("XXXXXXXX base64 = {}", base64)<br><br><br> newPassword = base64<br> return protector?.encryptString(newPassword)<br>}<br> </code><br> </script><br> </expression><br> </outbound><br> <!-- FIXME this is Default Password Policy --><br> <passwordPolicyRef oid="00000000-0000-0000-0000-000000000003"/><br> </password><br> </credentials><br><br></div><div>Of course my mapping would influence all accounts.<br></div><div><br></div><div>Regarding other sources for password (like your $user/name), I think it was not implemented as the other (attribute) mappings, at least not in older versions of midPoint. In 3.6 it might be different.<br></div><div><br></div><div>Maybe someone from developers will have anything to add. Or someone from the list who actually has such things up and running.<br></div><div><br></div><div>Best regards,<br></div><div>Ivan<br></div><div><br></div><hr id="zwchr"><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;" data-mce-style="border-left: 2px solid #1010FF; margin-left: 5px; padding-left: 5px; color: #000; font-weight: normal; font-style: normal; text-decoration: none; font-family: Helvetica,Arial,sans-serif; font-size: 12pt;"><b>From: </b>"Brad Firestone" <bhotrock@gmail.com><br><b>To: </b>"midPoint General Discussion" <midpoint@lists.evolveum.com><br><b>Sent: </b>Friday, May 5, 2017 9:44:38 PM<br><b>Subject: </b>[midPoint] Construct Password for SASL Pass Through<br><div><br></div>Hi All,<br> <br> I have one certain group of users that will be provisioned on an OpenLDAP resource. This group of users needs to use SASL Pass Through to Active Directory, so the password stored in OpenLDAP userPassword attribute will be in the format of: <br> {<a class="moz-txt-link-abbreviated" href="mailto:SASL}user@example.com" target="_blank" data-mce-href="mailto:SASL}user@example.com">SASL}user@example.com</a><br> Here's some information about SASL Pass Through: <a class="moz-txt-link-freetext" href="https://ltb-project.org/documentation/general/sasl_delegation" target="_blank" data-mce-href="https://ltb-project.org/documentation/general/sasl_delegation">https://ltb-project.org/documentation/general/sasl_delegation</a><br> <br> I have this configured and working, if I enter the password directly into OpenLDAP. But I need to have midPoint enter this value automatically.<br> <br> I can easily construct this value using Groovy, but because it's a "password", I can't seem to work with it in midPoint like other attributes. Here are the things I've tried:<br> <br> 1. Tried to generate it using an outbound expression in <credentials> for the OpenLDAP resource. <br> <credentials><br> <password><br> <outbound><br> <source><br> <path>$user/name</path><br> </source><br> <expression><br> <script><br> <code>'{SASL}' + name</code><br> </script><br> </expression><br> </outbound><br> </password><br> </credentials><br> <br> This doesn't throw any errors, but I don't know if it's really generating the right value, because when it stores the password on the resource, it hashes it, like normal. And the pass through function doesn't work.<br> <br> 2. I tried to bypass the password hashing function by generating the needed value in the User Template, and storing it in midPoint $user/costCenter. I then tried to use outbound mapping in a Role to map $user/costCenter to ri:userPassword. That gave an error of: <br> <span style="color: rgb(51, 51, 51); font-family: "Source Sans
Pro", "Helvetica Neue", Helvetica, Arial, sans-serif;
font-size: 14px; font-style: normal; font-variant-ligatures: normal;
font-variant-caps: normal; font-weight: normal; letter-spacing: normal;
orphans: 2; text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);
display: inline !important; float: none;" data-mce-style="color: #333333; font-family: 'Source Sans
Pro', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; display: inline !important; float: none;">Attribute {<a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" target="_blank" data-mce-href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>}userPassword not found in schema for account type default, resource: Account Testing OpenLDAP (OID:d0811790-1d80-11e4-86b2-3c970e467874) as definied in role: HQ-User (OID:880f1186-2f77-11e7-93c2-bfabd497cae2)</span>.<br> userPassword is the attribute used in the OpenLDAP resource, but I'm guessing it's not treated like other attributes.<br> <br> Is there anyway to pass a "plain text" value to a resource userPassword attribute? If so, then I will need to do this for only ONE set of users. The rest of the user accounts on that resource need to be handled in a normal way.<br> <br> Thanks for any suggestions!<br> Brad<br><br>_______________________________________________<br>midPoint mailing list<br>midPoint@lists.evolveum.com<br>http://lists.evolveum.com/mailman/listinfo/midpoint<br></blockquote><div><br><br></div><div><br></div><div>-- <br></div><div><span name="x"></span>Ivan Noris<br>Senior Identity Engineer<br>evolveum.com<span name="x"></span><br></div></div></body></html>