[jira] [Commented] (SYNCOPE-313) Support synchronizing non-cleartext passwords from external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14052490#comment-14052490
]
ASF subversion and git services commented on SYNCOPE-313:
-
Commit 1607871 from [~ilgrosso] in branch 'syncope/trunk'
[ https://svn.apache.org/r1607871 ]
[SYNCOPE-313] Resolving IT conflicts (XML)
Support synchronizing non-cleartext passwords from external resources
-
Key: SYNCOPE-313
URL: https://issues.apache.org/jira/browse/SYNCOPE-313
Project: Syncope
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Currently we can synchronize cleartext passwords from external resources.
However, we can't handle non-cleartext passwords, as they get treated as if
they are plaintext passwords when imported into Syncope, and hence hashed
again according to user.cipherAlgorithm().
This task is to treat an imported password as hashed according to a give
cipher algorithm configured on the connector (for example via 'Password
Cipher Algorithm' for the DB Connector).
This is specific to each individual connector, as for example for the DB
Connector, it might just be a hashed value stored in a table, whereas for
LDAP it'll be of the form CIPHER}VALUE etc.
Note that we we cannot refer to any specific connector bundle from inside the
SyncopeSyncResultHandler, hence we should find the cleanest place to
encapsulate the following logic:
if (password.isClearText()) {
// do as currently done
} else {
if (connector.isLDAP()) {
// extract cipher and value
} else if (connector.isDBTable()) {
// treat value as ciphered with the cipher defined in connector
configuration
} else {
...
}
}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-313) Support synchronizing non-cleartext passwords from external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14051390#comment-14051390
]
ASF subversion and git services commented on SYNCOPE-313:
-
Commit 1607611 from [~ilgrosso] in branch 'syncope/trunk'
[ https://svn.apache.org/r1607611 ]
[SYNCOPE-313] Resolving IT conflicts
Support synchronizing non-cleartext passwords from external resources
-
Key: SYNCOPE-313
URL: https://issues.apache.org/jira/browse/SYNCOPE-313
Project: Syncope
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Currently we can synchronize cleartext passwords from external resources.
However, we can't handle non-cleartext passwords, as they get treated as if
they are plaintext passwords when imported into Syncope, and hence hashed
again according to user.cipherAlgorithm().
This task is to treat an imported password as hashed according to a give
cipher algorithm configured on the connector (for example via 'Password
Cipher Algorithm' for the DB Connector).
This is specific to each individual connector, as for example for the DB
Connector, it might just be a hashed value stored in a table, whereas for
LDAP it'll be of the form CIPHER}VALUE etc.
Note that we we cannot refer to any specific connector bundle from inside the
SyncopeSyncResultHandler, hence we should find the cleanest place to
encapsulate the following logic:
if (password.isClearText()) {
// do as currently done
} else {
if (connector.isLDAP()) {
// extract cipher and value
} else if (connector.isDBTable()) {
// treat value as ciphered with the cipher defined in connector
configuration
} else {
...
}
}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-313) Support synchronizing non-cleartext passwords from external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14050312#comment-14050312
]
ASF subversion and git services commented on SYNCOPE-313:
-
Commit 1607419 from [~coheigea] in branch 'syncope/trunk'
[ https://svn.apache.org/r1607419 ]
[SYNCOPE-313] - Added integration tests
Support synchronizing non-cleartext passwords from external resources
-
Key: SYNCOPE-313
URL: https://issues.apache.org/jira/browse/SYNCOPE-313
Project: Syncope
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Currently we can synchronize cleartext passwords from external resources.
However, we can't handle non-cleartext passwords, as they get treated as if
they are plaintext passwords when imported into Syncope, and hence hashed
again according to user.cipherAlgorithm().
This task is to treat an imported password as hashed according to a give
cipher algorithm configured on the connector (for example via 'Password
Cipher Algorithm' for the DB Connector).
This is specific to each individual connector, as for example for the DB
Connector, it might just be a hashed value stored in a table, whereas for
LDAP it'll be of the form CIPHER}VALUE etc.
Note that we we cannot refer to any specific connector bundle from inside the
SyncopeSyncResultHandler, hence we should find the cleanest place to
encapsulate the following logic:
if (password.isClearText()) {
// do as currently done
} else {
if (connector.isLDAP()) {
// extract cipher and value
} else if (connector.isDBTable()) {
// treat value as ciphered with the cipher defined in connector
configuration
} else {
...
}
}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-313) Support synchronizing non-cleartext passwords from external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14050314#comment-14050314
]
Colm O hEigeartaigh commented on SYNCOPE-313:
-
Tests committed. I @Ignore'd the LDAP test, as it seems to be causing a
side-effect on reconcileFromLDAP for some reason.
Colm.
Support synchronizing non-cleartext passwords from external resources
-
Key: SYNCOPE-313
URL: https://issues.apache.org/jira/browse/SYNCOPE-313
Project: Syncope
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Currently we can synchronize cleartext passwords from external resources.
However, we can't handle non-cleartext passwords, as they get treated as if
they are plaintext passwords when imported into Syncope, and hence hashed
again according to user.cipherAlgorithm().
This task is to treat an imported password as hashed according to a give
cipher algorithm configured on the connector (for example via 'Password
Cipher Algorithm' for the DB Connector).
This is specific to each individual connector, as for example for the DB
Connector, it might just be a hashed value stored in a table, whereas for
LDAP it'll be of the form CIPHER}VALUE etc.
Note that we we cannot refer to any specific connector bundle from inside the
SyncopeSyncResultHandler, hence we should find the cleanest place to
encapsulate the following logic:
if (password.isClearText()) {
// do as currently done
} else {
if (connector.isLDAP()) {
// extract cipher and value
} else if (connector.isDBTable()) {
// treat value as ciphered with the cipher defined in connector
configuration
} else {
...
}
}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-313) Support synchronizing non-cleartext passwords from external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14048797#comment-14048797
]
Colm O hEigeartaigh commented on SYNCOPE-313:
-
Integration tests merged for SYNCOPE-505. Is there any example of a SyncTask
executing successfully in the integration test-code? The idea I had was to
extend the tests in SYNCOPE-505, by changing the local password, and then
sync'ing from the resource again + checking the password was changed. When I
add a SyncTask via something like this, it doesn't seem to have fired (in
time?) and the user is not updated:
SyncTaskTO syncTask = new SyncTaskTO();
syncTask.setName(DB Sync Task);
syncTask.setDescription(DB Sync Task description);
syncTask.setPerformCreate(true);
syncTask.setPerformUpdate(true);
syncTask.setFullReconciliation(true);
syncTask.setResource(RESOURCE_NAME_TESTDB);
syncTask.setStartDate(new Date());
syncTask.getActionsClassNames().add(DBPasswordSyncActions.class.getName());
Response taskResponse = taskService.create(syncTask);
String taskId = taskResponse.getHeaderString(RESTHeaders.RESOURCE_ID);
TaskExecTO taskExec = taskService.execute(Long.valueOf(taskId), false);
Any ideas?
Colm.
Support synchronizing non-cleartext passwords from external resources
-
Key: SYNCOPE-313
URL: https://issues.apache.org/jira/browse/SYNCOPE-313
Project: Syncope
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Currently we can synchronize cleartext passwords from external resources.
However, we can't handle non-cleartext passwords, as they get treated as if
they are plaintext passwords when imported into Syncope, and hence hashed
again according to user.cipherAlgorithm().
This task is to treat an imported password as hashed according to a give
cipher algorithm configured on the connector (for example via 'Password
Cipher Algorithm' for the DB Connector).
This is specific to each individual connector, as for example for the DB
Connector, it might just be a hashed value stored in a table, whereas for
LDAP it'll be of the form CIPHER}VALUE etc.
Note that we we cannot refer to any specific connector bundle from inside the
SyncopeSyncResultHandler, hence we should find the cleanest place to
encapsulate the following logic:
if (password.isClearText()) {
// do as currently done
} else {
if (connector.isLDAP()) {
// extract cipher and value
} else if (connector.isDBTable()) {
// treat value as ciphered with the cipher defined in connector
configuration
} else {
...
}
}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-313) Support synchronizing non-cleartext passwords from external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14048799#comment-14048799
]
Francesco Chicchiriccò commented on SYNCOPE-313:
Take a look at {{TaskTestITCase}} - there is plenty of {{SyncTask}} execution.
Support synchronizing non-cleartext passwords from external resources
-
Key: SYNCOPE-313
URL: https://issues.apache.org/jira/browse/SYNCOPE-313
Project: Syncope
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Currently we can synchronize cleartext passwords from external resources.
However, we can't handle non-cleartext passwords, as they get treated as if
they are plaintext passwords when imported into Syncope, and hence hashed
again according to user.cipherAlgorithm().
This task is to treat an imported password as hashed according to a give
cipher algorithm configured on the connector (for example via 'Password
Cipher Algorithm' for the DB Connector).
This is specific to each individual connector, as for example for the DB
Connector, it might just be a hashed value stored in a table, whereas for
LDAP it'll be of the form CIPHER}VALUE etc.
Note that we we cannot refer to any specific connector bundle from inside the
SyncopeSyncResultHandler, hence we should find the cleanest place to
encapsulate the following logic:
if (password.isClearText()) {
// do as currently done
} else {
if (connector.isLDAP()) {
// extract cipher and value
} else if (connector.isDBTable()) {
// treat value as ciphered with the cipher defined in connector
configuration
} else {
...
}
}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-313) Support synchronizing non-cleartext passwords from external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14043317#comment-14043317
]
Francesco Chicchiriccò commented on SYNCOPE-313:
Any plan for adding an integration test case for this feature?
Support synchronizing non-cleartext passwords from external resources
-
Key: SYNCOPE-313
URL: https://issues.apache.org/jira/browse/SYNCOPE-313
Project: Syncope
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Currently we can synchronize cleartext passwords from external resources.
However, we can't handle non-cleartext passwords, as they get treated as if
they are plaintext passwords when imported into Syncope, and hence hashed
again according to user.cipherAlgorithm().
This task is to treat an imported password as hashed according to a give
cipher algorithm configured on the connector (for example via 'Password
Cipher Algorithm' for the DB Connector).
This is specific to each individual connector, as for example for the DB
Connector, it might just be a hashed value stored in a table, whereas for
LDAP it'll be of the form CIPHER}VALUE etc.
Note that we we cannot refer to any specific connector bundle from inside the
SyncopeSyncResultHandler, hence we should find the cleanest place to
encapsulate the following logic:
if (password.isClearText()) {
// do as currently done
} else {
if (connector.isLDAP()) {
// extract cipher and value
} else if (connector.isDBTable()) {
// treat value as ciphered with the cipher defined in connector
configuration
} else {
...
}
}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-313) Support synchronizing non-cleartext passwords from external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14028879#comment-14028879
]
Francesco Chicchiriccò commented on SYNCOPE-313:
Looks good!
The actions class is called as part of the user workflow, so updating
SyncopeUser is exactly what needs to be done.
Two minor questions:
# any particular reason why not to replace SHA1(SHA-1, false) with
SHA(SHA-1, false)?
# the last argument in SyncopeUser#setEncodedPassword looks not-needed:
correct?
Support synchronizing non-cleartext passwords from external resources
-
Key: SYNCOPE-313
URL: https://issues.apache.org/jira/browse/SYNCOPE-313
Project: Syncope
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Currently we can synchronize cleartext passwords from external resources.
However, we can't handle non-cleartext passwords, as they get treated as if
they are plaintext passwords when imported into Syncope, and hence hashed
again according to user.cipherAlgorithm().
This task is to treat an imported password as hashed according to a give
cipher algorithm configured on the connector (for example via 'Password
Cipher Algorithm' for the DB Connector).
This is specific to each individual connector, as for example for the DB
Connector, it might just be a hashed value stored in a table, whereas for
LDAP it'll be of the form CIPHER}VALUE etc.
Note that we we cannot refer to any specific connector bundle from inside the
SyncopeSyncResultHandler, hence we should find the cleanest place to
encapsulate the following logic:
if (password.isClearText()) {
// do as currently done
} else {
if (connector.isLDAP()) {
// extract cipher and value
} else if (connector.isDBTable()) {
// treat value as ciphered with the cipher defined in connector
configuration
} else {
...
}
}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-313) Support synchronizing non-cleartext passwords from external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14029194#comment-14029194
]
Colm O hEigeartaigh commented on SYNCOPE-313:
-
Hi Francesco,
any particular reason why not to replace SHA1(SHA-1, false) with
SHA(SHA-1, false)?
I just left SHA1 there for backwards compatibility reasons, so that a value of
SHA1 as part of the password cipher algorithm would still work. I don't see
any harm in having both SHA + SHA1 map to the same thing.
the last argument in SyncopeUser#setEncodedPassword looks not-needed: correct?
Yep.
What do you think about backporting the SyncopeUser + CipherAlgorithm changes
(just the SHA addition) to 1.1.x? At least then a user could plug in their own
SyncActions implementation to support this behaviour if required.
Colm.
Support synchronizing non-cleartext passwords from external resources
-
Key: SYNCOPE-313
URL: https://issues.apache.org/jira/browse/SYNCOPE-313
Project: Syncope
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Currently we can synchronize cleartext passwords from external resources.
However, we can't handle non-cleartext passwords, as they get treated as if
they are plaintext passwords when imported into Syncope, and hence hashed
again according to user.cipherAlgorithm().
This task is to treat an imported password as hashed according to a give
cipher algorithm configured on the connector (for example via 'Password
Cipher Algorithm' for the DB Connector).
This is specific to each individual connector, as for example for the DB
Connector, it might just be a hashed value stored in a table, whereas for
LDAP it'll be of the form CIPHER}VALUE etc.
Note that we we cannot refer to any specific connector bundle from inside the
SyncopeSyncResultHandler, hence we should find the cleanest place to
encapsulate the following logic:
if (password.isClearText()) {
// do as currently done
} else {
if (connector.isLDAP()) {
// extract cipher and value
} else if (connector.isDBTable()) {
// treat value as ciphered with the cipher defined in connector
configuration
} else {
...
}
}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-313) Support synchronizing non-cleartext passwords from external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14029200#comment-14029200
]
Francesco Chicchiriccò commented on SYNCOPE-313:
{quote}
What do you think about backporting the SyncopeUser + CipherAlgorithm changes
(just the SHA addition) to 1.1.x? At least then a user could plug in their own
SyncActions implementation to support this behaviour if required.
{quote}
+1
Support synchronizing non-cleartext passwords from external resources
-
Key: SYNCOPE-313
URL: https://issues.apache.org/jira/browse/SYNCOPE-313
Project: Syncope
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Currently we can synchronize cleartext passwords from external resources.
However, we can't handle non-cleartext passwords, as they get treated as if
they are plaintext passwords when imported into Syncope, and hence hashed
again according to user.cipherAlgorithm().
This task is to treat an imported password as hashed according to a give
cipher algorithm configured on the connector (for example via 'Password
Cipher Algorithm' for the DB Connector).
This is specific to each individual connector, as for example for the DB
Connector, it might just be a hashed value stored in a table, whereas for
LDAP it'll be of the form CIPHER}VALUE etc.
Note that we we cannot refer to any specific connector bundle from inside the
SyncopeSyncResultHandler, hence we should find the cleanest place to
encapsulate the following logic:
if (password.isClearText()) {
// do as currently done
} else {
if (connector.isLDAP()) {
// extract cipher and value
} else if (connector.isDBTable()) {
// treat value as ciphered with the cipher defined in connector
configuration
} else {
...
}
}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-313) Support synchronizing non-cleartext passwords from external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14029226#comment-14029226
]
ASF subversion and git services commented on SYNCOPE-313:
-
Commit 1602193 from [~coheigea] in branch 'syncope/branches/1_1_X'
[ https://svn.apache.org/r1602193 ]
[SYNCOPE-313] - Adding an initial way to import hashed passwords into Syncope
from an LDAP backend
Conflicts:
common/src/main/java/org/apache/syncope/common/types/CipherAlgorithm.java
Support synchronizing non-cleartext passwords from external resources
-
Key: SYNCOPE-313
URL: https://issues.apache.org/jira/browse/SYNCOPE-313
Project: Syncope
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Currently we can synchronize cleartext passwords from external resources.
However, we can't handle non-cleartext passwords, as they get treated as if
they are plaintext passwords when imported into Syncope, and hence hashed
again according to user.cipherAlgorithm().
This task is to treat an imported password as hashed according to a give
cipher algorithm configured on the connector (for example via 'Password
Cipher Algorithm' for the DB Connector).
This is specific to each individual connector, as for example for the DB
Connector, it might just be a hashed value stored in a table, whereas for
LDAP it'll be of the form CIPHER}VALUE etc.
Note that we we cannot refer to any specific connector bundle from inside the
SyncopeSyncResultHandler, hence we should find the cleanest place to
encapsulate the following logic:
if (password.isClearText()) {
// do as currently done
} else {
if (connector.isLDAP()) {
// extract cipher and value
} else if (connector.isDBTable()) {
// treat value as ciphered with the cipher defined in connector
configuration
} else {
...
}
}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-313) Support synchronizing non-cleartext passwords from external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14029276#comment-14029276
]
ASF subversion and git services commented on SYNCOPE-313:
-
Commit 1602209 from [~coheigea] in branch 'syncope/trunk'
[ https://svn.apache.org/r1602209 ]
[SYNCOPE-313] - SyncActions implementation to sync passwords from a Database
Support synchronizing non-cleartext passwords from external resources
-
Key: SYNCOPE-313
URL: https://issues.apache.org/jira/browse/SYNCOPE-313
Project: Syncope
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Currently we can synchronize cleartext passwords from external resources.
However, we can't handle non-cleartext passwords, as they get treated as if
they are plaintext passwords when imported into Syncope, and hence hashed
again according to user.cipherAlgorithm().
This task is to treat an imported password as hashed according to a give
cipher algorithm configured on the connector (for example via 'Password
Cipher Algorithm' for the DB Connector).
This is specific to each individual connector, as for example for the DB
Connector, it might just be a hashed value stored in a table, whereas for
LDAP it'll be of the form CIPHER}VALUE etc.
Note that we we cannot refer to any specific connector bundle from inside the
SyncopeSyncResultHandler, hence we should find the cleanest place to
encapsulate the following logic:
if (password.isClearText()) {
// do as currently done
} else {
if (connector.isLDAP()) {
// extract cipher and value
} else if (connector.isDBTable()) {
// treat value as ciphered with the cipher defined in connector
configuration
} else {
...
}
}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-313) Support synchronizing non-cleartext passwords from external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14027962#comment-14027962
]
ASF subversion and git services commented on SYNCOPE-313:
-
Commit 1601940 from [~coheigea] in branch 'syncope/trunk'
[ https://svn.apache.org/r1601940 ]
[SYNCOPE-313] - Adding an initial way to import hashed passwords into Syncope
from an LDAP backend
Support synchronizing non-cleartext passwords from external resources
-
Key: SYNCOPE-313
URL: https://issues.apache.org/jira/browse/SYNCOPE-313
Project: Syncope
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Currently we can synchronize cleartext passwords from external resources.
However, we can't handle non-cleartext passwords, as they get treated as if
they are plaintext passwords when imported into Syncope, and hence hashed
again according to user.cipherAlgorithm().
This task is to treat an imported password as hashed according to a give
cipher algorithm configured on the connector (for example via 'Password
Cipher Algorithm' for the DB Connector).
This is specific to each individual connector, as for example for the DB
Connector, it might just be a hashed value stored in a table, whereas for
LDAP it'll be of the form CIPHER}VALUE etc.
Note that we we cannot refer to any specific connector bundle from inside the
SyncopeSyncResultHandler, hence we should find the cleanest place to
encapsulate the following logic:
if (password.isClearText()) {
// do as currently done
} else {
if (connector.isLDAP()) {
// extract cipher and value
} else if (connector.isDBTable()) {
// treat value as ciphered with the cipher defined in connector
configuration
} else {
...
}
}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-313) Support synchronizing non-cleartext passwords from external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14026286#comment-14026286
]
Francesco Chicchiriccò commented on SYNCOPE-313:
{quote}
a) By synchronization actions are you referring to the existing Actions class
that you can select in the Resource configuration? (e.g.
LDAPMembershipPropagationAction), or something new that would be associated
with the Connector itself?
{quote}
I mean the [action
class|https://cwiki.apache.org/confluence/display/SYNCOPE/SyncActionsClass]
that can be configured for Sync Tasks - (so {{LDAPMembershipSyncActions}} for
what you refer above).
Since we already provide {{LDAPMembershipSyncActions}} and we are about to
provide {{LDAPPasswordSyncActions}}, it might be also an idea to allow
associating a list of Sync Actions classes to a Sync Task - and correspondingly
a list of Propagation Actions classes to a Resource.
{quote}
We still have the problem with BASE-64/HEX encoding that I raised. What do you
think of my first two points?
{quote}
I am at the moment working on the {{PasswordEncoder}} (locally renamed as
{{Encryptor}} as I am working on SYNCOPE-270) but I have to admin I am not able
to see the problem you report above. Can you please provide more details?
Support synchronizing non-cleartext passwords from external resources
-
Key: SYNCOPE-313
URL: https://issues.apache.org/jira/browse/SYNCOPE-313
Project: Syncope
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Currently we can synchronize cleartext passwords from external resources.
However, we can't handle non-cleartext passwords, as they get treated as if
they are plaintext passwords when imported into Syncope, and hence hashed
again according to user.cipherAlgorithm().
This task is to treat an imported password as hashed according to a give
cipher algorithm configured on the connector (for example via 'Password
Cipher Algorithm' for the DB Connector).
This is specific to each individual connector, as for example for the DB
Connector, it might just be a hashed value stored in a table, whereas for
LDAP it'll be of the form CIPHER}VALUE etc.
Note that we we cannot refer to any specific connector bundle from inside the
SyncopeSyncResultHandler, hence we should find the cleanest place to
encapsulate the following logic:
if (password.isClearText()) {
// do as currently done
} else {
if (connector.isLDAP()) {
// extract cipher and value
} else if (connector.isDBTable()) {
// treat value as ciphered with the cipher defined in connector
configuration
} else {
...
}
}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-313) Support synchronizing non-cleartext passwords from external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14026295#comment-14026295
]
Colm O hEigeartaigh commented on SYNCOPE-313:
-
Hi Francesco,
Ok thanks for the clarification. I think allowing a list of propagation + sync
actions makes sense, so that we could support the new password + membership
sync actions behaviours at the same time, for example.
To clarify the password encoding issue: Currently, the PasswordEncoder
hard-codes the digest output to HEX:
digester.setStringOutputType(CommonUtils.STRING_OUTPUT_TYPE_HEXADECIMAL);
So let's say our LDAPPasswordSynchronizationAction is taking the encoded
password + setting it directly into SyncopeUser. For the LDAP example, it is
BASE-64 encoded. However, when we try to verify a password next, we end up
comparing a BASE-64 encoded digest stored in SyncopeUser with the HEX encoded
digest generated in PasswordEncoder.verify.
Does that make sense?
Colm.
Support synchronizing non-cleartext passwords from external resources
-
Key: SYNCOPE-313
URL: https://issues.apache.org/jira/browse/SYNCOPE-313
Project: Syncope
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Currently we can synchronize cleartext passwords from external resources.
However, we can't handle non-cleartext passwords, as they get treated as if
they are plaintext passwords when imported into Syncope, and hence hashed
again according to user.cipherAlgorithm().
This task is to treat an imported password as hashed according to a give
cipher algorithm configured on the connector (for example via 'Password
Cipher Algorithm' for the DB Connector).
This is specific to each individual connector, as for example for the DB
Connector, it might just be a hashed value stored in a table, whereas for
LDAP it'll be of the form CIPHER}VALUE etc.
Note that we we cannot refer to any specific connector bundle from inside the
SyncopeSyncResultHandler, hence we should find the cleanest place to
encapsulate the following logic:
if (password.isClearText()) {
// do as currently done
} else {
if (connector.isLDAP()) {
// extract cipher and value
} else if (connector.isDBTable()) {
// treat value as ciphered with the cipher defined in connector
configuration
} else {
...
}
}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-313) Support synchronizing non-cleartext passwords from external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14026310#comment-14026310
]
Francesco Chicchiriccò commented on SYNCOPE-313:
About the list of actions I've created SYNCOPE-502.
About the password from LDAP, I am not sure that the actual password value
returned by the connector as {{GuardedString}} and decoded as reported in [this
gist|https://gist.github.com/ilgrosso/6389336] does not match the value encoded
by {{PasswordEncoder}} - the Base64 encode / decode should be in charge of
connector logic AFAIR: have you already performed some tests?
Support synchronizing non-cleartext passwords from external resources
-
Key: SYNCOPE-313
URL: https://issues.apache.org/jira/browse/SYNCOPE-313
Project: Syncope
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Currently we can synchronize cleartext passwords from external resources.
However, we can't handle non-cleartext passwords, as they get treated as if
they are plaintext passwords when imported into Syncope, and hence hashed
again according to user.cipherAlgorithm().
This task is to treat an imported password as hashed according to a give
cipher algorithm configured on the connector (for example via 'Password
Cipher Algorithm' for the DB Connector).
This is specific to each individual connector, as for example for the DB
Connector, it might just be a hashed value stored in a table, whereas for
LDAP it'll be of the form CIPHER}VALUE etc.
Note that we we cannot refer to any specific connector bundle from inside the
SyncopeSyncResultHandler, hence we should find the cleanest place to
encapsulate the following logic:
if (password.isClearText()) {
// do as currently done
} else {
if (connector.isLDAP()) {
// extract cipher and value
} else if (connector.isDBTable()) {
// treat value as ciphered with the cipher defined in connector
configuration
} else {
...
}
}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-313) Support synchronizing non-cleartext passwords from external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14026321#comment-14026321
]
Colm O hEigeartaigh commented on SYNCOPE-313:
-
The user password that is encoded currently in PasswordEncoder.encode is of the
form {SHA}XYZ= for the LDAP use-case. It appears that the password is just
imported as is. Note that I am not using the password synchronization
feature of the LDAP Connector, just ticking the retrieve passwords checkbox.
Colm.
Support synchronizing non-cleartext passwords from external resources
-
Key: SYNCOPE-313
URL: https://issues.apache.org/jira/browse/SYNCOPE-313
Project: Syncope
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Currently we can synchronize cleartext passwords from external resources.
However, we can't handle non-cleartext passwords, as they get treated as if
they are plaintext passwords when imported into Syncope, and hence hashed
again according to user.cipherAlgorithm().
This task is to treat an imported password as hashed according to a give
cipher algorithm configured on the connector (for example via 'Password
Cipher Algorithm' for the DB Connector).
This is specific to each individual connector, as for example for the DB
Connector, it might just be a hashed value stored in a table, whereas for
LDAP it'll be of the form CIPHER}VALUE etc.
Note that we we cannot refer to any specific connector bundle from inside the
SyncopeSyncResultHandler, hence we should find the cleanest place to
encapsulate the following logic:
if (password.isClearText()) {
// do as currently done
} else {
if (connector.isLDAP()) {
// extract cipher and value
} else if (connector.isDBTable()) {
// treat value as ciphered with the cipher defined in connector
configuration
} else {
...
}
}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-313) Support synchronizing non-cleartext passwords from external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14026407#comment-14026407
]
Colm O hEigeartaigh commented on SYNCOPE-313:
-
Ok so what you are proposing is that we BASE-64 decode the encoded password in
LDAPPasswordSyncAction, and then HEX encode it + store it in SyncopeUser? Yes I
think this will work fine. The only issue is that it seems a bit unwieldy to
have separate Sync Actions just to support different encoding behaviours. I
guess we could just default to assuming the passwords are BASE-64 encoded in
the backend for now.
Colm.
Support synchronizing non-cleartext passwords from external resources
-
Key: SYNCOPE-313
URL: https://issues.apache.org/jira/browse/SYNCOPE-313
Project: Syncope
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Currently we can synchronize cleartext passwords from external resources.
However, we can't handle non-cleartext passwords, as they get treated as if
they are plaintext passwords when imported into Syncope, and hence hashed
again according to user.cipherAlgorithm().
This task is to treat an imported password as hashed according to a give
cipher algorithm configured on the connector (for example via 'Password
Cipher Algorithm' for the DB Connector).
This is specific to each individual connector, as for example for the DB
Connector, it might just be a hashed value stored in a table, whereas for
LDAP it'll be of the form CIPHER}VALUE etc.
Note that we we cannot refer to any specific connector bundle from inside the
SyncopeSyncResultHandler, hence we should find the cleanest place to
encapsulate the following logic:
if (password.isClearText()) {
// do as currently done
} else {
if (connector.isLDAP()) {
// extract cipher and value
} else if (connector.isDBTable()) {
// treat value as ciphered with the cipher defined in connector
configuration
} else {
...
}
}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-313) Support synchronizing non-cleartext passwords from external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14026409#comment-14026409
]
Francesco Chicchiriccò commented on SYNCOPE-313:
It seems that both the internal storage and also external databases (see the
MySQL sample above) are using HEX while only LDAP is using BASE64 (and thus
{{LDAPPasswordSyncActions}} will need to handle digest encoding).
If you change the internal storage to BASE64 you will end up in a similar
situation where internal storage and LDAP are using BASE64 and external
databases HEX (and thus {{DBPasswordSynchronizationAction}} will need to handle
digest encoding).
If this is correct, I would personally leave HEX for internal - to ease
migration from 1_1_X.
Support synchronizing non-cleartext passwords from external resources
-
Key: SYNCOPE-313
URL: https://issues.apache.org/jira/browse/SYNCOPE-313
Project: Syncope
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Currently we can synchronize cleartext passwords from external resources.
However, we can't handle non-cleartext passwords, as they get treated as if
they are plaintext passwords when imported into Syncope, and hence hashed
again according to user.cipherAlgorithm().
This task is to treat an imported password as hashed according to a give
cipher algorithm configured on the connector (for example via 'Password
Cipher Algorithm' for the DB Connector).
This is specific to each individual connector, as for example for the DB
Connector, it might just be a hashed value stored in a table, whereas for
LDAP it'll be of the form CIPHER}VALUE etc.
Note that we we cannot refer to any specific connector bundle from inside the
SyncopeSyncResultHandler, hence we should find the cleanest place to
encapsulate the following logic:
if (password.isClearText()) {
// do as currently done
} else {
if (connector.isLDAP()) {
// extract cipher and value
} else if (connector.isDBTable()) {
// treat value as ciphered with the cipher defined in connector
configuration
} else {
...
}
}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-313) Support synchronizing non-cleartext passwords from external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14026419#comment-14026419
]
Colm O hEigeartaigh commented on SYNCOPE-313:
-
Yep I think we are in agreement. So to summarise:
a) We will add the ability to synchronize non-cleartext passwords via a
Synchronization Task action class.
b) LDAPPasswordSyncActions will be designed to work with LDAP. If the password
is of the form {SHA}XYZ, it will check that the digest algorithm is
supported, and if so it will BASE-64 decode the password, HEX-encode the
result, and store it directly into SyncopeUser. If the password is not of the
form {SHA}XYZ, then it just handles it via the PasswordEncoder as per normal.
c) DBPasswordSynchronizationAction will be designed to work with a database. It
just stores the encoded password directly into SyncopeUser, with the
presumption that the password is encoded in HEX in the database + hashed via
the same algorithm configured for Syncope under password.cipher.algorithm.
Does this cover it?
Colm.
b) SYNCOPE-502
Support synchronizing non-cleartext passwords from external resources
-
Key: SYNCOPE-313
URL: https://issues.apache.org/jira/browse/SYNCOPE-313
Project: Syncope
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Currently we can synchronize cleartext passwords from external resources.
However, we can't handle non-cleartext passwords, as they get treated as if
they are plaintext passwords when imported into Syncope, and hence hashed
again according to user.cipherAlgorithm().
This task is to treat an imported password as hashed according to a give
cipher algorithm configured on the connector (for example via 'Password
Cipher Algorithm' for the DB Connector).
This is specific to each individual connector, as for example for the DB
Connector, it might just be a hashed value stored in a table, whereas for
LDAP it'll be of the form CIPHER}VALUE etc.
Note that we we cannot refer to any specific connector bundle from inside the
SyncopeSyncResultHandler, hence we should find the cleanest place to
encapsulate the following logic:
if (password.isClearText()) {
// do as currently done
} else {
if (connector.isLDAP()) {
// extract cipher and value
} else if (connector.isDBTable()) {
// treat value as ciphered with the cipher defined in connector
configuration
} else {
...
}
}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-313) Support synchronizing non-cleartext passwords from external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14026425#comment-14026425
]
Francesco Chicchiriccò commented on SYNCOPE-313:
Almost :-)
I would only change c) to
{{DBPasswordSynchronizationAction}} will be designed to work with a database.
It just stores the encoded password directly into {{SyncopeUser}}, with the
presumption that the password is encoded in HEX in the database + hashed via
the algorithm configured in the Password cipher algorithm parameter of the
underlying connector instance (this might be different from internal storage's
{{password.cipher.algorithm}}).
Support synchronizing non-cleartext passwords from external resources
-
Key: SYNCOPE-313
URL: https://issues.apache.org/jira/browse/SYNCOPE-313
Project: Syncope
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Currently we can synchronize cleartext passwords from external resources.
However, we can't handle non-cleartext passwords, as they get treated as if
they are plaintext passwords when imported into Syncope, and hence hashed
again according to user.cipherAlgorithm().
This task is to treat an imported password as hashed according to a give
cipher algorithm configured on the connector (for example via 'Password
Cipher Algorithm' for the DB Connector).
This is specific to each individual connector, as for example for the DB
Connector, it might just be a hashed value stored in a table, whereas for
LDAP it'll be of the form CIPHER}VALUE etc.
Note that we we cannot refer to any specific connector bundle from inside the
SyncopeSyncResultHandler, hence we should find the cleanest place to
encapsulate the following logic:
if (password.isClearText()) {
// do as currently done
} else {
if (connector.isLDAP()) {
// extract cipher and value
} else if (connector.isDBTable()) {
// treat value as ciphered with the cipher defined in connector
configuration
} else {
...
}
}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-313) Support synchronizing non-cleartext passwords from external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14026427#comment-14026427
]
Colm O hEigeartaigh commented on SYNCOPE-313:
-
Sounds good!
Colm.
Support synchronizing non-cleartext passwords from external resources
-
Key: SYNCOPE-313
URL: https://issues.apache.org/jira/browse/SYNCOPE-313
Project: Syncope
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Currently we can synchronize cleartext passwords from external resources.
However, we can't handle non-cleartext passwords, as they get treated as if
they are plaintext passwords when imported into Syncope, and hence hashed
again according to user.cipherAlgorithm().
This task is to treat an imported password as hashed according to a give
cipher algorithm configured on the connector (for example via 'Password
Cipher Algorithm' for the DB Connector).
This is specific to each individual connector, as for example for the DB
Connector, it might just be a hashed value stored in a table, whereas for
LDAP it'll be of the form CIPHER}VALUE etc.
Note that we we cannot refer to any specific connector bundle from inside the
SyncopeSyncResultHandler, hence we should find the cleanest place to
encapsulate the following logic:
if (password.isClearText()) {
// do as currently done
} else {
if (connector.isLDAP()) {
// extract cipher and value
} else if (connector.isDBTable()) {
// treat value as ciphered with the cipher defined in connector
configuration
} else {
...
}
}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-313) Support synchronizing non-cleartext passwords from external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14021866#comment-14021866
]
Colm O hEigeartaigh commented on SYNCOPE-313:
-
Hi Francesco,
That sounds reasonable to me. Two questions though:
a) By synchronization actions are you referring to the existing Actions class
that you can select in the Resource configuration? (e.g.
LDAPMembershipPropagationAction), or something new that would be associated
with the Connector itself?
b) We still have the problem with BASE-64/HEX encoding that I raised. What do
you think of my first two points?
Thanks,
Colm.
Support synchronizing non-cleartext passwords from external resources
-
Key: SYNCOPE-313
URL: https://issues.apache.org/jira/browse/SYNCOPE-313
Project: Syncope
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Currently we can synchronize cleartext passwords from external resources.
However, we can't handle non-cleartext passwords, as they get treated as if
they are plaintext passwords when imported into Syncope, and hence hashed
again according to user.cipherAlgorithm().
This task is to treat an imported password as hashed according to a give
cipher algorithm configured on the connector (for example via 'Password
Cipher Algorithm' for the DB Connector).
This is specific to each individual connector, as for example for the DB
Connector, it might just be a hashed value stored in a table, whereas for
LDAP it'll be of the form CIPHER}VALUE etc.
Note that we we cannot refer to any specific connector bundle from inside the
SyncopeSyncResultHandler, hence we should find the cleanest place to
encapsulate the following logic:
if (password.isClearText()) {
// do as currently done
} else {
if (connector.isLDAP()) {
// extract cipher and value
} else if (connector.isDBTable()) {
// treat value as ciphered with the cipher defined in connector
configuration
} else {
...
}
}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-313) Support synchronizing non-cleartext passwords from external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14019961#comment-14019961
]
Colm O hEigeartaigh commented on SYNCOPE-313:
-
Hi all,
I'm just starting to look into this topic again. Here is an initial proposal,
feedback welcome!
- A current limitation of Syncope is that password encoding (when digesting)
is hardcoded to HEX in PasswordEncoder. I propose that this should be
configurable (password.cipher.encoding or something) so that we can also
support BASE-64 encoding.
- A new Connector property for the relevant connectors is added to specify
whether the password is encoded in either HEX or BASE-64.
- Let's assume we are dealing with LDAP where we might have passwords encoded
in the form {sha}XYZ=, or they could be in plaintext. On synchronization, if
it doesn't start with {hash-alg} then we treat it as plaintext, and hash
according to the default value + encode according to the default value. If it
does start with {hash-alg}, the cipherAlgorithm parameter of a SyncopeUser
will get populated by the hash algorithm specified in the password first, and
fall back to the default value if it doesn't exist. SyncopeUser will also have
a password encoding value derived from the Connector, which will also fall back
to the default value. In this case (hashed password), we do not explicitly
encode the password via PasswordEncoder, but just use the value we receive
(minus the {hash-alg} prefix).
- For a SQL table, we will have to add a new hash algorithm parameter, so that
we know that the values received are hashed + that we can treat them as such.
Does this broadly make sense or is there a better way? If the former, then I
will start looking into how this will actually work without polluting the
SyncopeSyncResultHandler will Connector-specific stuff.
Colm.
Support synchronizing non-cleartext passwords from external resources
-
Key: SYNCOPE-313
URL: https://issues.apache.org/jira/browse/SYNCOPE-313
Project: Syncope
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Currently we can synchronize cleartext passwords from external resources.
However, we can't handle non-cleartext passwords, as they get treated as if
they are plaintext passwords when imported into Syncope, and hence hashed
again according to user.cipherAlgorithm().
This task is to treat an imported password as hashed according to a give
cipher algorithm configured on the connector (for example via 'Password
Cipher Algorithm' for the DB Connector).
This is specific to each individual connector, as for example for the DB
Connector, it might just be a hashed value stored in a table, whereas for
LDAP it'll be of the form CIPHER}VALUE etc.
Note that we we cannot refer to any specific connector bundle from inside the
SyncopeSyncResultHandler, hence we should find the cleanest place to
encapsulate the following logic:
if (password.isClearText()) {
// do as currently done
} else {
if (connector.isLDAP()) {
// extract cipher and value
} else if (connector.isDBTable()) {
// treat value as ciphered with the cipher defined in connector
configuration
} else {
...
}
}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-313) Support synchronizing non-cleartext passwords from external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14019973#comment-14019973
]
Francesco Chicchiriccò commented on SYNCOPE-313:
I was more thinking that a possible way to implement this feature was to
provide specific synchronization actions for relevant connectors (say LDAP and
DBTable) so that the technology-specific handling could have been coded in
there.
The {{LDAPPasswordSynchronizationAction}} could parse the password value from
connector (say {{{SSHA}jkdsfjlksdjfklsdjfkjsdflsdjkfdslfsdkjfk}}), check that
{{SSHA}} is supported by Syncope and then directly set the encoded value into
{{SyncopeUser}} (this is currently not possible).
The {{DBPasswordSynchronizationAction}} could look at the connector
configuration (the Password cipher algorithm parameter - see
https://connid.atlassian.net/wiki/display/BASE/Database+Table) and then
directly set the encoded value into {{SyncopeUser}} (this is currently not
possible).
WDYT?
Support synchronizing non-cleartext passwords from external resources
-
Key: SYNCOPE-313
URL: https://issues.apache.org/jira/browse/SYNCOPE-313
Project: Syncope
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Currently we can synchronize cleartext passwords from external resources.
However, we can't handle non-cleartext passwords, as they get treated as if
they are plaintext passwords when imported into Syncope, and hence hashed
again according to user.cipherAlgorithm().
This task is to treat an imported password as hashed according to a give
cipher algorithm configured on the connector (for example via 'Password
Cipher Algorithm' for the DB Connector).
This is specific to each individual connector, as for example for the DB
Connector, it might just be a hashed value stored in a table, whereas for
LDAP it'll be of the form CIPHER}VALUE etc.
Note that we we cannot refer to any specific connector bundle from inside the
SyncopeSyncResultHandler, hence we should find the cleanest place to
encapsulate the following logic:
if (password.isClearText()) {
// do as currently done
} else {
if (connector.isLDAP()) {
// extract cipher and value
} else if (connector.isDBTable()) {
// treat value as ciphered with the cipher defined in connector
configuration
} else {
...
}
}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-313) Support synchronizing non-cleartext passwords from external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14018779#comment-14018779
]
Francesco Chicchiriccò commented on SYNCOPE-313:
Relevant [discussion|http://markmail.org/message/d7n2wefdghkjlomh] in user ML.
Support synchronizing non-cleartext passwords from external resources
-
Key: SYNCOPE-313
URL: https://issues.apache.org/jira/browse/SYNCOPE-313
Project: Syncope
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Currently we can synchronize cleartext passwords from external resources.
However, we can't handle non-cleartext passwords, as they get treated as if
they are plaintext passwords when imported into Syncope, and hence hashed
again according to user.cipherAlgorithm().
This task is to treat an imported password as hashed according to a give
cipher algorithm configured on the connector (for example via 'Password
Cipher Algorithm' for the DB Connector).
This is specific to each individual connector, as for example for the DB
Connector, it might just be a hashed value stored in a table, whereas for
LDAP it'll be of the form CIPHER}VALUE etc.
Note that we we cannot refer to any specific connector bundle from inside the
SyncopeSyncResultHandler, hence we should find the cleanest place to
encapsulate the following logic:
if (password.isClearText()) {
// do as currently done
} else {
if (connector.isLDAP()) {
// extract cipher and value
} else if (connector.isDBTable()) {
// treat value as ciphered with the cipher defined in connector
configuration
} else {
...
}
}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-313) Support synchronizing non-cleartext passwords from external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13845239#comment-13845239
]
Colm O hEigeartaigh commented on SYNCOPE-313:
-
Hi James,
Any update on some potential patches for this issue?
Colm.
Support synchronizing non-cleartext passwords from external resources
-
Key: SYNCOPE-313
URL: https://issues.apache.org/jira/browse/SYNCOPE-313
Project: Syncope
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Currently we can synchronize cleartext passwords from external resources.
However, we can't handle non-cleartext passwords, as they get treated as if
they are plaintext passwords when imported into Syncope, and hence hashed
again according to user.cipherAlgorithm().
This task is to treat an imported password as hashed according to a give
cipher algorithm configured on the connector (for example via 'Password
Cipher Algorithm' for the DB Connector).
This is specific to each individual connector, as for example for the DB
Connector, it might just be a hashed value stored in a table, whereas for
LDAP it'll be of the form CIPHER}VALUE etc.
Note that we we cannot refer to any specific connector bundle from inside the
SyncopeSyncResultHandler, hence we should find the cleanest place to
encapsulate the following logic:
if (password.isClearText()) {
// do as currently done
} else {
if (connector.isLDAP()) {
// extract cipher and value
} else if (connector.isDBTable()) {
// treat value as ciphered with the cipher defined in connector
configuration
} else {
...
}
}
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)
[jira] [Commented] (SYNCOPE-313) Support synchronizing non-cleartext passwords from external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13831237#comment-13831237
]
Francesco Chicchiriccò commented on SYNCOPE-313:
I am not sure if [~coheigea] is actively working on this issue, anyway I'd say
any patch is more than welcome, even as a starting point :-)
If you decide to provide a patch, please send an
[ICLA|http://syncope.apache.org/contributing.html#How_do_I_become_a_contributor_or_a_committer]
before, thanks!
Support synchronizing non-cleartext passwords from external resources
-
Key: SYNCOPE-313
URL: https://issues.apache.org/jira/browse/SYNCOPE-313
Project: Syncope
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Currently we can synchronize cleartext passwords from external resources.
However, we can't handle non-cleartext passwords, as they get treated as if
they are plaintext passwords when imported into Syncope, and hence hashed
again according to user.cipherAlgorithm().
This task is to treat an imported password as hashed according to a give
cipher algorithm configured on the connector (for example via 'Password
Cipher Algorithm' for the DB Connector).
This is specific to each individual connector, as for example for the DB
Connector, it might just be a hashed value stored in a table, whereas for
LDAP it'll be of the form CIPHER}VALUE etc.
Note that we we cannot refer to any specific connector bundle from inside the
SyncopeSyncResultHandler, hence we should find the cleanest place to
encapsulate the following logic:
if (password.isClearText()) {
// do as currently done
} else {
if (connector.isLDAP()) {
// extract cipher and value
} else if (connector.isDBTable()) {
// treat value as ciphered with the cipher defined in connector
configuration
} else {
...
}
}
--
This message was sent by Atlassian JIRA
(v6.1#6144)
