[jira] [Commented] (SYNCOPE-313) Support synchronizing non-cleartext passwords from external resources

Tue, 10 Jun 2014 06:00:23 -0700 

    [ 
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14026409#comment-14026409
 ] 

Francesco Chicchiriccò commented on SYNCOPE-313:
------------------------------------------------

It seems that both the internal storage and also external databases (see the 
MySQL sample above) are using HEX while only LDAP is using BASE64 (and thus 
{{LDAPPasswordSyncActions}} will need to handle digest encoding).

If you change the internal storage to BASE64 you will end up in a similar 
situation where internal storage and LDAP are using BASE64 and external 
databases HEX (and thus {{DBPasswordSynchronizationAction}} will need to handle 
digest encoding).

If this is correct, I would personally leave HEX for internal - to ease 
migration from 1_1_X.

> Support synchronizing non-cleartext passwords from external resources
> ---------------------------------------------------------------------
>
>                 Key: SYNCOPE-313
>                 URL: https://issues.apache.org/jira/browse/SYNCOPE-313
>             Project: Syncope
>          Issue Type: Improvement
>            Reporter: Colm O hEigeartaigh
>            Assignee: Colm O hEigeartaigh
>             Fix For: 1.2.0
>
>
> Currently we can synchronize cleartext passwords from external resources. 
> However, we can't handle non-cleartext passwords, as they get treated as if 
> they are plaintext passwords when imported into Syncope, and hence hashed 
> again according to user.cipherAlgorithm().
> This task is to treat an imported password as hashed according to a give 
> cipher algorithm configured on the connector (for example via 'Password 
> Cipher Algorithm' for the DB Connector). 
> This is specific to each individual connector, as for example for the DB 
> Connector, it might just be a hashed value stored in a table, whereas for 
> LDAP it'll be of the form "CIPHER}VALUE" etc.
> Note that we we cannot refer to any specific connector bundle from inside the 
> SyncopeSyncResultHandler, hence we should find the cleanest place to 
> encapsulate the following logic:
> if (password.isClearText()) {
> // do as currently done
> } else {
>   if (connector.isLDAP()) {
>    // extract cipher and value
>   } else if (connector.isDBTable()) {
>    // treat value as ciphered with the cipher defined in connector 
> configuration
>   } else {
>     ...
>   }
> }



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to