Il giorno 23/mar/2012, alle ore 16.17, Nicola Scendoni ha scritto: > Il giorno 23 marzo 2012 15:32, Fabio Martelli <[email protected]> ha > scritto: > >> Hi Syncopers, >> we have a password issue to be discussed and managed asap. >> >> Currently, every time user's resource set is updated a new user password >> specification is required. >> From my point of view this couldn't be acceptable: a new password should >> be required just in case of adding of a new resource requiring password. >> Do you have any idea about how we can do this? >> >> > The same behavior is applied in case of an user update coming from a >> synchronization. >> If during synchronization an user must be updated by adding a new resource >> to its external resource set (may be implied by a user template) new >> password specification is always required. Currently we'll get a failure in >> this scenario .... >> Do you have any idea about how we can generate a new password just for new >> external resources requiring it? >> >> Guys, I ask you your opinions in order to open a new issue to tune these >> behaviors. >> >> > > > Hi Fabio, > > Why a password is required during the update? I agree with you this is not > accptable. > About new resources: I think a good approach could be to store the > encrypted user password and use this password for all the new resources. At > least this behaviour should be allowed.
Hi Nicola, "unfortunately" password could be encrypted one-way. The trick you suggest is feasible just in case of reversible encryption. I think that adding a new external resource (with password attribute mapped) by a self-update or by user administration, manual change password should be required. In case of synchronization I can suggest to generate a random password. What do you think? Of course, in case of reversible password, automatic password retrieving could be preferred to a manual change or to a random generation. F.
