Re: Cannot get Must Change Password to sync with ApacheDS pwdReset Attribute

[justin.isenhour]

I am using Syncope 2.0.3 and am doing a Maven war overly.

--
View this message in context: 
http://syncope-user.1051894.n5.nabble.com/Cannot-get-Must-Change-Password-to-sync-with-ApacheDS-pwdReset-Attribute-tp5709254p5709277.html
Sent from the syncope-user mailing list archive at Nabble.com.

Re: Password not propagated when changed via enduser UI

[Francesco Chicchiriccò]

Hi Martin,
welcome to Apache Syncope.

Which version / distribution are you running?

See my replies embedded below.

Regards.

On 25/06/2017 18:48, Böhmer, Martin wrote:


Hi,

I have setup an LDAP connector and LDAP resource that successfully 
propagates changes to users and groups when changes are performed via 
the console UI. So, I am able to consistently create, update and 
delete users and groups in Syncope and LDAP. When I set/change a 
user’s password via the console UI, it gets propagated to LDAP as 
expected by an UPDATE propagation task.


However, when I log into the enduser interface and change the 
password, it gets updated in Syncopes internal database, but not in 
LDAP. Inspecting the propagation tasks afterwards reveals that the 
change in the enduser UI has created a DELETE action for some strange 
reason.




I have replicated your case with 2.0.4-SNAPSHOT (by using the sample 
ApacheDS LDAP resource available) and opened


https://issues.apache.org/jira/browse/SYNCOPE-1125

As mentioned in the reference guide and earlier posts, I already made 
sure Syncope’s property ‘password.cipher.algorithm’ is set to the same 
algorithm as specified in the LDAP connector. Both are set to ‘SSHA’. 
Console log and core log do not show any errors.




Aligning the cipher algorithms is only needed when pulling or pushing 
password values as binary objects, and this only occurs during pull or 
push task execution.


Setting password via Admin Console or Enduser UI instead does not 
require such alignment, as the cleartext value is passed along with the 
REST invocation.



What I am doing wrong? What configuration may be wrong or missing?

I would greatly appreciate any hints on what configuration is required 
to propagate the password change from the enduser interface to LDAP! 
My LDAP server is OpenLDAP on Ubuntu 16.04 LTS.


Best regards,

Martin

PS: The result of the password not being propagated is that I am now 
able to log into the enduser interface using both the password stored 
in Syncopes internal DB and the (old) password still present in LDAP…




This is not possible unless you have defined an Account Policy [1] with 
LDAP for pass-through authentication [2].


[1] https://syncope.apache.org/docs/reference-guide.html#policies-account
[2] 
https://syncope.apache.org/docs/reference-guide.html#pass-through-authentication


--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/