[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14019961#comment-14019961
]
Colm O hEigeartaigh commented on SYNCOPE-313:
---------------------------------------------
Hi all,
I'm just starting to look into this topic again. Here is an initial proposal,
feedback welcome!
- A current limitation of Syncope is that password encoding (when digesting)
is hardcoded to HEX in PasswordEncoder. I propose that this should be
configurable (password.cipher.encoding or something) so that we can also
support BASE-64 encoding.
- A new Connector property for the relevant connectors is added to specify
whether the password is encoded in either HEX or BASE-64.
- Let's assume we are dealing with LDAP where we might have passwords encoded
in the form "{sha}XYZ=", or they could be in plaintext. On synchronization, if
it doesn't start with "{hash-alg}" then we treat it as plaintext, and hash
according to the default value + encode according to the default value. If it
does start with "{hash-alg}", the cipherAlgorithm parameter of a SyncopeUser
will get populated by the hash algorithm specified in the password first, and
fall back to the default value if it doesn't exist. SyncopeUser will also have
a password encoding value derived from the Connector, which will also fall back
to the default value. In this case (hashed password), we do not explicitly
encode the password via PasswordEncoder, but just use the value we receive
(minus the "{hash-alg}" prefix).
- For a SQL table, we will have to add a new hash algorithm parameter, so that
we know that the values received are hashed + that we can treat them as such.
Does this broadly make sense or is there a better way? If the former, then I
will start looking into how this will actually work without polluting the
SyncopeSyncResultHandler will Connector-specific stuff.
Colm.
> Support synchronizing non-cleartext passwords from external resources
> ---------------------------------------------------------------------
>
> Key: SYNCOPE-313
> URL: https://issues.apache.org/jira/browse/SYNCOPE-313
> Project: Syncope
> Issue Type: Improvement
> Reporter: Colm O hEigeartaigh
> Assignee: Colm O hEigeartaigh
> Fix For: 1.2.0
>
>
> Currently we can synchronize cleartext passwords from external resources.
> However, we can't handle non-cleartext passwords, as they get treated as if
> they are plaintext passwords when imported into Syncope, and hence hashed
> again according to user.cipherAlgorithm().
> This task is to treat an imported password as hashed according to a give
> cipher algorithm configured on the connector (for example via 'Password
> Cipher Algorithm' for the DB Connector).
> This is specific to each individual connector, as for example for the DB
> Connector, it might just be a hashed value stored in a table, whereas for
> LDAP it'll be of the form "CIPHER}VALUE" etc.
> Note that we we cannot refer to any specific connector bundle from inside the
> SyncopeSyncResultHandler, hence we should find the cleanest place to
> encapsulate the following logic:
> if (password.isClearText()) {
> // do as currently done
> } else {
> if (connector.isLDAP()) {
> // extract cipher and value
> } else if (connector.isDBTable()) {
> // treat value as ciphered with the cipher defined in connector
> configuration
> } else {
> ...
> }
> }
--
This message was sent by Atlassian JIRA
(v6.2#6252)
