This is what happen when I open the Password Manager, while when I
update the password no log is generated.
13:43:57.477 DEBUG Enter: getObject(ObjectClass: __ACCOUNT__, Attribute:
{Name=__UID__, Value=[user07]}, OperationOptions:
{ATTRS_TO_GET:[__PASSWORD__,mail,sAMAccountName,givenName,__NAME__,cn,sn,__UID__,__ENABLE__]})
Method: getObject
13:43:57.477 DEBUG Enter: executeQuery(ObjectClass: __ACCOUNT__,
LdapFilter[nativeFilter: (cn=user07); entryDN: null],
org.identityconnectors.framework.impl.api.local.operations.SearchImpl$1@3c72ca1f,
OperationOptions:
{ATTRS_TO_GET:[__PASSWORD__,mail,sAMAccountName,givenName,__NAME__,cn,sn,__UID__,__ENABLE__]})
Method: executeQuery
13:43:57.478 WARN Reading passwords not supported Method:
getAttributesToGet
13:43:57.478 WARN Attribute __ENABLE__ of object class __ACCOUNT__ is
not mapped to an LDAP attribute Method: getLdapAttribute
13:43:57.478 DEBUG Options filter: {0} null Method: getInternalSearch
13:43:57.478 DEBUG Search filter: {0} cn=* Method: getInternalSearch
13:43:57.478 DEBUG Native filter: {0} (cn=user07) Method:
getInternalSearch
13:43:57.478 DEBUG Membership filter: {0} Method: getInternalSearch
13:43:57.478 DEBUG Searching in [OU=myad,DC=test,DC=local] with filter
(&(&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)(objectClass=user))(cn=user07)(cn=*))
and SearchControls: {returningAttributes=[cn, entryDN, givenName, mail,
sAMAccountName, sn, unicodePwd, userAccountControl], scope=SUBTREE}
Method: doSearch
13:43:57.479 DEBUG User Account Control: 512 Method:
createConnectorObject
13:43:57.479 DEBUG Enter: {Uid=Attribute: {Name=__UID__,
Value=[user07]}, ObjectClass=ObjectClass: __ACCOUNT__,
Attributes=[Attribute: {Name=__PASSWORD__,
Value=[org.identityconnectors.common.security.GuardedString@204e249b]},
Attribute: {Name=userAccountControl, Value=[512]}, Attribute:
{Name=sAMAccountName, Value=[user07]}, Attribute: {Name=mail,
Value=[user07@test.local]}, Attribute: {Name=__NAME__,
Value=[CN=user07,OU=myad,DC=test,DC=local]}, Attribute: {Name=cn,
Value=[user07]}, Attribute: {Name=sn, Value=[oln07updated]}, Attribute:
{Name=__UID__, Value=[user07]}, Attribute: {Name=__ENABLE__,
Value=[true]}, Attribute: {Name=givenName, Value=[ofn07updated]}],
Name=Attribute: {Name=__NAME__,
Value=[CN=user07,OU=myad,DC=test,DC=local]}} Method: handle
13:43:57.479 DEBUG Return: false Method: handle
13:43:57.479 DEBUG Return Method: executeQuery
13:43:57.480 DEBUG Return: {Uid=Attribute: {Name=__UID__,
Value=[user07]}, ObjectClass=ObjectClass: __ACCOUNT__,
Attributes=[Attribute: {Name=__PASSWORD__,
Value=[org.identityconnectors.common.security.GuardedString@204e249b]},
Attribute: {Name=sAMAccountName, Value=[user07]}, Attribute: {Name=mail,
Value=[user07@test.local]}, Attribute: {Name=__NAME__,
Value=[CN=user07,OU=myad,DC=test,DC=local]}, Attribute: {Name=cn,
Value=[user07]}, Attribute: {Name=sn, Value=[oln07updated]}, Attribute:
{Name=__UID__, Value=[user07]}, Attribute: {Name=__ENABLE__,
Value=[true]}, Attribute: {Name=givenName, Value=[ofn07updated]}],
Name=Attribute: {Name=__NAME__,
Value=[CN=user07,OU=myad,DC=test,DC=local]}} Method: getObject
On 30/01/2017 14:36, Francesco Chicchiriccò wrote:
> On 30/01/2017 12:34, Tech wrote:
>> When we create the user we are able to initialize the correct
>> password, connecting to the target system we can verify that Syncope
>> did its job.
>>
>> If the Admin tries to reset the password from the console, or if the
>> user tries to change is password from the enduser interface, the
>> password is still correctly updated into Syncope, but it's not
>> propagated to AD, therefore the user will be able to login only using
>> the old password.
>
> Hi,
> I am not completely familiar with AD password management internals,
> but I would examine what Syncope is actually sending to AD by watching
> the core-connid.log file both when creating new user and updating
> existing user, to determine if Syncope is effectively sending the
> updated password to AD during the latter phase.
>
> Regards.
>
>> On 30/01/2017 12:28, Tech wrote:
>>> I'm not sure about this step.
>>>
>>> As mentioned we can already propagate changes as "email, "first
>>> name" and "last name".
>>>
>>> The AD user that we are using is able to change the passwords of
>>> other AD users, create, update and delete other users.
>>>
>>> I think that there is an additional step that was not performed in
>>> Syncope.
>>>
>>> On 27/01/2017 16:32, Fabio Martelli wrote:
>>>> Il 27/01/2017 15:53, Tech ha scritto:
>>>>> Yes, we are connecting via SSL.
>>>>>
>>>>> We know that the connection is working because we are still able
>>>>> to propagate the user modification like firstname and lastname.
>>>>>
>>>>> We can change the password and internally is working, but it's not
>>>>> propagated to AD.
>>>> When you performed the change password by using the administration
>>>> console, did you select AD resource in the list provided after
>>>> password fields?
>>>> Are you sure that the user principal configured to perform updates
>>>> into AD owns all the needed entitlements?
>>>>>
>>>>> the On 27/01/2017 15:42, Fabio Martelli wrote:
>>>>>> Hi, find my comment in-line.
>>>>>> Regards,
>>>>>> F.
>>>>>>
>>>>>> Il 27/01/2017 12:12, Tech ha scritto:
>>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> we are working on the password propagation using the AD connector.
>>>>>>>
>>>>>>> We are able to check the connectivity both using plain and SSL,
>>>>>>> we are able to create new users and to update information like
>>>>>>> email, first name and last name.
>>>>>>>
>>>>>>> We edit the connector:
>>>>>>>
>>>>>>> * We check SSL
>>>>>>> * we change the Server port to 636
>>>>>>> * We enable Trust all certs
>>>>>>>
>>>>>>> We run again some modification and the first name and last name
>>>>>>> are still updated.
>>>>>>>
>>>>>>> We try now to change the password, both from user and admin
>>>>>>> interface.
>>>>>>>
>>>>>>> The user can correctly access to Syncope using the new
>>>>>>> credentials, while we detect that the password is not correctly
>>>>>>> propagated to the target system.
>>>>>>>
>>>>>>
>>>>>> Do you mean that you can still access with the previous one?
>>>>>> Please note that you can change password by working in SSL only [1].
>>>>>>
>>>>>> Regards,
>>>>>> F.
>>>>>>
>>>>>> [1]
>>>>>> https://connid.atlassian.net/wiki/pages/viewpage.action?pageId=360482#ActiveDirectory(JNDI)-Configuration
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
>
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
> http://home.apache.org/~ilgrosso/
