[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14026419#comment-14026419
]
Colm O hEigeartaigh commented on SYNCOPE-313:
---------------------------------------------
Yep I think we are in agreement. So to summarise:
a) We will add the ability to synchronize non-cleartext passwords via a
Synchronization Task action class.
b) LDAPPasswordSyncActions will be designed to work with LDAP. If the password
is of the form "{SHA}XYZ", it will check that the digest algorithm is
supported, and if so it will BASE-64 decode the password, HEX-encode the
result, and store it directly into SyncopeUser. If the password is not of the
form "{SHA}XYZ", then it just handles it via the PasswordEncoder as per normal.
c) DBPasswordSynchronizationAction will be designed to work with a database. It
just stores the encoded password directly into SyncopeUser, with the
presumption that the password is encoded in HEX in the database + hashed via
the same algorithm configured for Syncope under password.cipher.algorithm.
Does this cover it?
Colm.
b) SYNCOPE-502
> Support synchronizing non-cleartext passwords from external resources
> ---------------------------------------------------------------------
>
> Key: SYNCOPE-313
> URL: https://issues.apache.org/jira/browse/SYNCOPE-313
> Project: Syncope
> Issue Type: Improvement
> Reporter: Colm O hEigeartaigh
> Assignee: Colm O hEigeartaigh
> Fix For: 1.2.0
>
>
> Currently we can synchronize cleartext passwords from external resources.
> However, we can't handle non-cleartext passwords, as they get treated as if
> they are plaintext passwords when imported into Syncope, and hence hashed
> again according to user.cipherAlgorithm().
> This task is to treat an imported password as hashed according to a give
> cipher algorithm configured on the connector (for example via 'Password
> Cipher Algorithm' for the DB Connector).
> This is specific to each individual connector, as for example for the DB
> Connector, it might just be a hashed value stored in a table, whereas for
> LDAP it'll be of the form "CIPHER}VALUE" etc.
> Note that we we cannot refer to any specific connector bundle from inside the
> SyncopeSyncResultHandler, hence we should find the cleanest place to
> encapsulate the following logic:
> if (password.isClearText()) {
> // do as currently done
> } else {
> if (connector.isLDAP()) {
> // extract cipher and value
> } else if (connector.isDBTable()) {
> // treat value as ciphered with the cipher defined in connector
> configuration
> } else {
> ...
> }
> }
--
This message was sent by Atlassian JIRA
(v6.2#6252)
