Hi,
I have seen you opened
https://github.com/apache/syncope/pull/95
for the changes discussed below; see my replies inline.
Regards.
On 2019-01-30 12:19 [email protected] wrote:
Hi guys.
We're using Apache Syncope 2.0.12.
Currently, we're starting to implement customization in Syncope Core
to enforce the already created users to change their passwords if
password lifetime expired. The password lifetime is a domain-specific
value in our case. And we're planning to store it in our custom
implementation of
@org.apache.syncope.common.lib.policy.AbstractPasswordRuleConf@
The plan is to implement Password Expiry Scheduled Task by analogy as
mentioned here
https://cwiki.apache.org/confluence/display/SYNCOPE/Configure+a+PasswordExpirationJob.
What we want to achieve is to propagate the @mustChangePassword@ field
in AD as well, but first, we need to find all the users, whose
password should be updated, correctly. In the example above you
provided the following query "SELECT id FROM SyncopeUser WHERE
changePwdDate < ?1".
What we noticed is that @changePwdDate@ field is not initialized when
we create a new user with the specified password in Apache Syncope.
What is the purpose of why the logic is implemented in such a way?
Currently, @changePwdDate@ field is updated only when UserTO object is
updated.
changePwdDate is set only when... password is changed, e.g. with user or
password-only update.
Can we also init changePwdDate when we create a user and specify the
password by adding this line?
https://github.com/apache/syncope/blob/d3b81598d63a04132e271fbc75a964aa48f39e7f/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/UserDataBinderImpl.java#L171
```java
user.setChangePwdDate(new Date());
```
I don't see issues with such change, please open an issue on JIRA then
create a PR on github with a commit message mentioning such issue.
Also AD supports the "passwordNeverExpires" flag. For this purpose we
would like to add a new "passwordNeverExpires" field in
org.apache.syncope.core.persistence.jpa.entity.user.JPAUser model.
We want to have this field to exclude users which have
"passwordNeverExpires" set to @true@ in Password Expiry Scheduled
Task. Do you see any sense to have this field in the code of Apache
Syncope as well (as a part of JPAUser entity and then as a part of
UserTO object)? Can this field be applied to other types of
net.tirasa.connid connectors?
There are several good reason not to extend the fields of the
SyncopeUser entity, one of these being to avoid changing the database
schema across minor releases.
I'd suggest instead to define a boolean Plain Schema with same purpose,
on your own deployment.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
