On 29/08/2013 12:38, Marcin Sośnicki wrote:
Hello Francesco,
Thanks for your quick response.
I was talking about this case:
2. during any update including new resource subscription
I have checked AbstractPropagationTaskExecutor class, and in method
createOrUpdate (in 2 case) it seems that__PASSWORD__ parameter not
propagated. In cases 1 and 3 it is passed in attributes set, but not
in 2. This is before any tasks are executed on connector object, so it
behaves the same way, no matter which connector is used. In case 1 and
3 password is propagated in clean text (in GuardedString instance),
because new password was supplied during the process (create new user
or update password). But in case 2, there is only access to hashed
password value from database. Maybe this is because of the version I
am using? Or some misconfiguration?
I would appreciate your help on that.
Bad phrasing from my side: I should have written
2. during any user update including new resource subscription, if such
resource provides a password schema mapping
See the following issues for more information:
https://issues.apache.org/jira/browse/SYNCOPE-266
https://issues.apache.org/jira/browse/SYNCOPE-136 - in particular
https://issues.apache.org/jira/browse/SYNCOPE-136?focusedCommentId=13568641&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13568641
Hope this clarifies.
Regards.
2013/8/28 Francesco Chicchiriccò <[email protected]
<mailto:[email protected]>>
On 28/08/2013 08:57, Marcin Sośnicki wrote:
Hello,
I have a question regarding password propagation (I am using
Syncope /1.2.0/-/SNAPSHOT)/. My flow is as follows:
1) Create user in Syncope, without external resources
2) Edit user (without editing password)
3) Add external resource
4) Save user
With this flow, user is created in external resource without
password. What is the right way to go through flow like this?
Assuming that password in Syncope and external resource are
hashed using different algorithms, there is no way to get the
right value while editing without password change. I would
appreciate your help, I had some ideas how to solve this (same
password encryption for example, and propagation of hashed
password) but first I would like to know what you think about this..
Hi Marcin,
first of all, is there any specific reason why you are working
with 1.2.0-SNAPSHOT? I'd suggest to go with stable branch (Ad
libitum - latest 1.1.3).
Coming to your questions, consider that passwords are propagated
from Syncope to external resources in the following cases:
1. during creation (if any resource was selected)
2. during any update including new resource subscription
3. during any update when password was requested to be updated on
some specific resources
In any case, however, the password is not hashed before
propagation but instead sent, via the configured ConnId connector,
as GuardedString [1].
At this point different connector bundles operate differently: the
DB table [1] and LDAP [2] connectors, for example, provide
specific configuration parameters (respectively "Password cipher
algorithm" and "passwordHashAlgorithm") to be used when hashing
passwords - locally to resource.
Regards.
[1]
http://tirasa.github.io/ConnId/apidocs/base/org/identityconnectors/common/security/GuardedString.html
[2] https://connid.atlassian.net/wiki/display/BASE/Database+Table
[3] https://connid.atlassian.net/wiki/display/BASE/LDAP
--
Francesco Chicchiriccò
ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/
