Hi Francesco, I managed to set pwd in PWM (cleartext in LDAP), sync (full reconcile) to Syncope and (re)propagate the same password SSHA hashed back to LDAP. This scenario more or less fulfills my desired test scenario, apart from the short time the password lives unencrypted in LDAP, but which is hard to overcome without changing PWM (or slapd).
I'll try to write-up something for the how-to page. Thx for the patient answers and advice! Regards, Martin On Tue, Oct 28, 2014 at 8:41 AM, Francesco Chicchiriccò <ilgro...@apache.org> wrote: > Hi Martin, > here's some reply to your questions below. > >> This hypothetical excercise would require a 2-way encrypted password setup >> between OpenLDAP and Syncope. Is this a possible scenario? Would PLAINTEXT >> Passwords in LDAP be the only solution? > > > With Syncope 1.2.0 you can synchronize encrypted passwords from LDAP or DB > resource and propagate (using the same cipher algorithm, of course) again to > other LDAP / DB resources. > For this to happen, usage of LDAPPasswordSyncActions / DBPasswordSyncActions > (for synchronization) and LDAPPasswordPropagationActions / > DBPasswordPropagationActions is required. > > Another option could be usage of passthrough authentication, again available > with Syncope 1.2.0: you have the chance to define, in a relevant Account > Policy, whether authentication (to Syncope core and console) is to be > checked against one or more of external resources available. > >> I just learned that the connid LDAP connector does not support sync, >> unless you're using Sun Directory Server Enterprise >> Edition? Is this true? Is there no sync possible from LDAP? > > > In Syncope two types of synchronizations are supported (more info [1]), full > (calling SEARCH on connectors to get all existing accounts / groups) and > incremental (calling SYNC on connectors to get all modified accounts / > groups since previous synchronization). > > The former is not as accurate as latter (for example, it cannot identify any > delete on external resource) and also not as efficient (at every execution > the whole content is requested by Syncope). > > The ConnId LDAP connector supports actual SYNC operation from former Sun > DSEE (now Oracle DSEE), OpenDS / OpenDJ and Fedora 389 - and at least the > latter is actually Open Source ;-) > > About OpenLDAP, there is a long-standing open issue [2] at ConnId about > supporting SYNC - should you be interested in contributing, please join the > discussion at connid-...@googelgroups.com. > >> Of course, I'm looking at NetIQ/eDir/SSPR as a commercial example IdM >> system for my question. It would be nice if Syncope+OpenLDAP+PWM could do >> this trick as well ;) > > > Well, should you succeed with a working setup satisfying the requirements > you have in mind, it would be really nice to host a page on our wiki under > the "How do I...?" section [3]. > > Regards. > > [1] https://cwiki.apache.org/confluence/display/SYNCOPE/Synchronization > [2] https://connid.atlassian.net/browse/LDAP-1 > [3] > https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=27841983 > > > On 27/10/2014 22:52, Martin van Es wrote: >> >> To answer myself, I thought I could tackle this by setting the >> password plaintext in LDAP using PWM (using a plaintext password_hash >> rule in slapd) and then sync it to Syncope and have it set by it's >> SSHA equivalent while propagating the change back to the directory. >> This way, the plaintext password would only exist in LDAP in a small >> time window between syncs? >> >> But alas, I just learned that the connid LDAP connector does not >> support sync, unless you're using Sun Directory Server Enterprise >> Edition? Is this true? Is there no sync possible from LDAP? >> >> Regards, >> Martin >> >> On Mon, Oct 27, 2014 at 7:53 PM, Martin van Es <mrva...@gmail.com> wrote: >>> >>> Hi, >>> >>> I'd like to use PWM for Password Self-service management, but that >>> will only let me set passwords for users in an LDAP server. >>> >>> https://code.google.com/p/pwm/ >>> >>> How would I make (Open)LDAP password leading for all passwords, but >>> keep Syncope for propagating users (including passwords) to target >>> applications? Of course, I could make all client applications >>> authenticate agains LDAP, but that would solve the problem only in >>> application layer and needs suitable applications. I'm trying to see >>> if this problem also has a solution in data layer. >>> >>> This hypothetical excercise would require a 2-way encrypted password >>> setup between OpenLDAP and Syncope. Is this a possible scenario? Would >>> PLAINTEXT Passwords in LDAP be the only solution? Maybe changing PWM >>> so that the password would be AES encrypted into a pwd transport >>> attribute, which could be picked up by Syncope and propagated to LDAP >>> and other applications? >>> >>> Of course, I'm looking at NetIQ/eDir/SSPR as a commercial example IdM >>> system for my question. It would be nice if Syncope+OpenLDAP+PWM could >>> do this trick as well ;) >>> >>> Regards, >>> Martin > > > -- > Francesco Chicchiriccò > > Tirasa - Open Source Excellence > http://www.tirasa.net/ > > Involved at The Apache Software Foundation: > member, Syncope PMC chair, Cocoon PMC, Olingo PMC > http://people.apache.org/~ilgrosso/ > > -- If 'but' was any useful, it would be a logic operator
