Re: Cannot get Must Change Password to sync with ApacheDS pwdReset Attribute
On 14/07/2017 16:17, justin.isenhour wrote: Francesco, I was finally able to upgrade Syncope to v2.0.4 and now the synchronization of mustChangePassword is working as expected. Thanks for your help with this issue. Glad to hear that :-) Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Cannot get Must Change Password to sync with ApacheDS pwdReset Attribute
justin.isenhour wrote > Are there any configure values that I may have missed while setting up the > connector or schema object that will impact this? First of all, are you able to successfully replicate my steps above with 2.0.4-SNAPSHOT in embedded mode [1]? Regards. [1] https://ci.apache.org/projects/syncope/getting-started.html#embedded-mode -- View this message in context: http://syncope-user.1051894.n5.nabble.com/Cannot-get-Must-Change-Password-to-sync-with-ApacheDS-pwdReset-Attribute-tp5709254p5709282.html Sent from the syncope-user mailing list archive at Nabble.com.
Re: Cannot get Must Change Password to sync with ApacheDS pwdReset Attribute
No thoughts as to why changes to mustChangePassword are not triggering a prorogation task? Are there any configure values that I may have missed while setting up the connector or schema object that will impact this? -- View this message in context: http://syncope-user.1051894.n5.nabble.com/Cannot-get-Must-Change-Password-to-sync-with-ApacheDS-pwdReset-Attribute-tp5709254p5709281.html Sent from the syncope-user mailing list archive at Nabble.com.
Re: Cannot get Must Change Password to sync with ApacheDS pwdReset Attribute
Then I can only suggest you to either try Syncope 2.0.4-SNAPSHOT [1] or to wait 2/3 weeks for Syncope 2.0.4. If you choose to go with 2.0.4-SNAPSHOT, try with a brand new project rather than upgrading your existing one. Regards. [1] https://ci.apache.org/projects/syncope/getting-started.html#create-project -- View this message in context: http://syncope-user.1051894.n5.nabble.com/Cannot-get-Must-Change-Password-to-sync-with-ApacheDS-pwdReset-Attribute-tp5709254p5709280.html Sent from the syncope-user mailing list archive at Nabble.com.
Re: Cannot get Must Change Password to sync with ApacheDS pwdReset Attribute
I am using Syncope 2.0.3 and am doing a Maven war overly. -- View this message in context: http://syncope-user.1051894.n5.nabble.com/Cannot-get-Must-Change-Password-to-sync-with-ApacheDS-pwdReset-Attribute-tp5709254p5709277.html Sent from the syncope-user mailing list archive at Nabble.com.
Re: Cannot get Must Change Password to sync with ApacheDS pwdReset Attribute
On 14/06/2017 19:40, justin.isenhour wrote: Francesco, Thanks for your reply. I have followed the steps you described but am not getting the same result as you. If in ApacheDS password policy section I have Allow Must Change flagged then when I try to create a new user the sync with ApacheDS fails, it complains that there are 2 values being set for attribute pwdReset. If I uncheck Allow Must Change flag then the create/sync is successful, however, after that any attempt I make to toggle Must Change Password on/off does not sync with ApacheDS. I tried toggling this from the console as well as using the user self Patch API. In both of these case there is no propagation task being created. The only propagation task I see is the initial create. (making other updates does initiate a propagation task and LDAP is updated as expected). Any thoughts as to why changes to Must Change Password are not trigger a propagation task? Which Syncope version and distribution are you using? You might want to download the latest 2.0.4-SNAPSHOT standalone distribution [1] (instructions [2]) and try to perform the steps reported previously with the embedded ApacheDS 2.0 M24 (which is exactly what I did). Regards. [1] https://repository.apache.org/content/groups/snapshots/org/apache/syncope/syncope-standalone/2.0.4-SNAPSHOT/syncope-standalone-2.0.4-20170614.162350-94-distribution.zip [2] https://ci.apache.org/projects/syncope/getting-started.html#standalone -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Cannot get Must Change Password to sync with ApacheDS pwdReset Attribute
Francesco, Thanks for your reply. I have followed the steps you described but am not getting the same result as you. If in ApacheDS password policy section I have Allow Must Change flagged then when I try to create a new user the sync with ApacheDS fails, it complains that there are 2 values being set for attribute pwdReset. If I uncheck Allow Must Change flag then the create/sync is successful, however, after that any attempt I make to toggle Must Change Password on/off does not sync with ApacheDS. I tried toggling this from the console as well as using the user self Patch API. In both of these case there is no propagation task being created. The only propagation task I see is the initial create. (making other updates does initiate a propagation task and LDAP is updated as expected). Any thoughts as to why changes to Must Change Password are not trigger a propagation task? Thanks, Justin -- View this message in context: http://syncope-user.1051894.n5.nabble.com/Cannot-get-Must-Change-Password-to-sync-with-ApacheDS-pwdReset-Attribute-tp5709254p5709268.html Sent from the syncope-user mailing list archive at Nabble.com.
Re: Cannot get Must Change Password to sync with ApacheDS pwdReset Attribute
Hi, here's what I did (after creating new Maven project, in embedded mode - it should be exactly the same with standalone distribution): 1. from Admin Console, I went to Topology > resource-ldap > edit provision rules 2. added a mapping item to USER / __ACCOUNT__, with * 'mustChangePassword' as internal attribute * 'pwdReset' as external attribute * JEXL transformer 'mustChangePassword == 1' 3. saved After that, I have created a new user, and assigned 'resource-ldap': the user got created as expected on the embedded ApacheDS instance (e.g. the one behind 'resource-ldap' above), with 'pwdReset: false'. Then, on the user row, I have clicked on the "set must change password" menu entry: an update was sent to ApacheDS and 'pwdReset' became true. I clicked again on the same menu entry (which I have now changed to "toggle must change password"): another update to ApacheDS and 'pwdReset' became false. Is there anything different that you were expecting? Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Cannot get Must Change Password to sync with ApacheDS pwdReset Attribute
Francesco, pwdRest is part of the pwdpolicy schema (OID: 1.3.6.1.4.1.42.2.27.8.1.22) I am creating a user using the inetOrgPerson class. If you are using Apache Directory Studio to look at the objects this attribute will not show by default, you will need to include optional attributes to get it to show. Thanks, Justin -- View this message in context: http://syncope-user.1051894.n5.nabble.com/Cannot-get-Must-Change-Password-to-sync-with-ApacheDS-pwdReset-Attribute-tp5709254p5709257.html Sent from the syncope-user mailing list archive at Nabble.com.
Re: Cannot get Must Change Password to sync with ApacheDS pwdReset Attribute
On 01/06/2017 19:40, justin.isenhour wrote: Hi All, I am using the Syncope 2.0.3 with ApacheDS 2.0.0-M23 for identity store. In ApacheDS I have Must Change Password enabled for the password policy. When a new user is created the pwdReset flag is true. How can I get Syncope to change the flag to False? Changing the Must Change Password attribute for the UserTo doesn't impact this, neither does reset the users password. So far I have found no way to change this flag. I tried adding a mapping between mustChangePassword and pwdReset with a JEXL transformer to convert Syncope's 0|1 value to ApacheDS's expected true|false. With this in place when I create a user with must change password as true the provisioning is successful but when I try to create/update a user with value false the sync fails. ApacheDS complains that I am trying to set more than one value to the pwdReset attribute that only accepts a single value. Anyone have any thoughts or recommendations? Hi Justin, thanks for your interest in Apache Syncope. It seems you have come quite far with Syncope LDAP configuration, nice :-) I am not very familiar with ApacheDS' pwdReset attribute: could you please point to me in which LDAP ObjectClass is that available? I would like to replicate your setup. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/