Re: Proper way to propagate password.

Wed, 28 Aug 2013 00:14:39 -0700 

On 28/08/2013 08:57, Marcin Sos'nicki wrote:

Hello,
I have a question regarding password propagation (I am using Syncope /1.2.0/-/SNAPSHOT)/. My flow is as follows: 
1) Create user in Syncope, without external resources
2) Edit user (without editing password)
3) Add external resource
4) Save user
With this flow, user is created in external resource without password. What is the right way to go through flow like this? Assuming that password in Syncope and external resource are hashed using different algorithms, there is no way to get the right value while editing without password change. I would appreciate your help, I had some ideas how to solve this (same password encryption for example, and propagation of hashed password) but first I would like to know what you think about this.. 

Hi Marcin,
first of all, is there any specific reason why you are working with 1.2.0-SNAPSHOT? I'd suggest to go with stable branch (Ad libitum - latest 1.1.3).
Coming to your questions, consider that passwords are propagated from Syncope to external resources in the following cases: 
 1. during creation (if any resource was selected)
 2. during any update including new resource subscription
3. during any update when password was requested to be updated on some specific resources
In any case, however, the password is not hashed before propagation but instead sent, via the configured ConnId connector, as GuardedString [1]. At this point different connector bundles operate differently: the DB table [1] and LDAP [2] connectors, for example, provide specific configuration parameters (respectively "Password cipher algorithm" and "passwordHashAlgorithm") to be used when hashing passwords - locally to resource. 

Regards.
[1] http://tirasa.github.io/ConnId/apidocs/base/org/identityconnectors/common/security/GuardedString.html 
[2] https://connid.atlassian.net/wiki/display/BASE/Database+Table
[3] https://connid.atlassian.net/wiki/display/BASE/LDAP

--
Francesco Chicchiriccò

ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/

Reply via email to