> -----Messaggio originale----- > Da: Fabio Martelli [mailto:[email protected]] > Inviato: venerdì 23 marzo 2012 16.42 > A: [email protected] > Oggetto: Re: new password issue > > > > Il giorno 23/mar/2012, alle ore 16.17, Nicola Scendoni ha scritto: > > > Il giorno 23 marzo 2012 15:32, Fabio Martelli > <[email protected]> ha > > scritto: > > > >> Hi Syncopers, > >> we have a password issue to be discussed and managed asap. > >> > >> Currently, every time user's resource set is updated a new > user password > >> specification is required. > >> From my point of view this couldn't be acceptable: a new > password should > >> be required just in case of adding of a new resource > requiring password. > >> Do you have any idea about how we can do this? > >> > >> > > The same behavior is applied in case of an user update coming from a > >> synchronization. > >> If during synchronization an user must be updated by > adding a new resource > >> to its external resource set (may be implied by a user > template) new > >> password specification is always required. Currently we'll > get a failure in > >> this scenario .... > >> Do you have any idea about how we can generate a new > password just for new > >> external resources requiring it? > >> > >> Guys, I ask you your opinions in order to open a new issue > to tune these > >> behaviors. > >> > >> > > > > > > Hi Fabio, > > > > Why a password is required during the update? I agree with > you this is not > > accptable. > > About new resources: I think a good approach could be to store the > > encrypted user password and use this password for all the > new resources. At > > least this behaviour should be allowed. > > Hi Nicola, > "unfortunately" password could be encrypted one-way. The > trick you suggest is feasible just in case of reversible encryption. > I think that adding a new external resource (with password > attribute mapped) by a self-update or by user administration, > manual change password should be required. > > In case of synchronization I can suggest to generate a random > password. What do you think? > Of course, in case of reversible password, automatic password > retrieving could be preferred to a manual change or to a > random generation. > > F. >
Hi Fabio, I agree with you. Password should be required only if a new resource is added and only if Syncope is storing the password with a one way algorithm. (there is an open issue on old google issue tracking about avoid password requirement using AES algorithm). In case of one way algorithm I agree with you. One possible solution, it's a random password generation compliant with the password policy. Bye, Denis.
