Re: PWM as password manager
To answer myself, I thought I could tackle this by setting the password plaintext in LDAP using PWM (using a plaintext password_hash rule in slapd) and then sync it to Syncope and have it set by it's SSHA equivalent while propagating the change back to the directory. This way, the plaintext password would only exist in LDAP in a small time window between syncs? But alas, I just learned that the connid LDAP connector does not support sync, unless you're using Sun Directory Server Enterprise Edition? Is this true? Is there no sync possible from LDAP? Regards, Martin On Mon, Oct 27, 2014 at 7:53 PM, Martin van Es wrote: > Hi, > > I'd like to use PWM for Password Self-service management, but that > will only let me set passwords for users in an LDAP server. > > https://code.google.com/p/pwm/ > > How would I make (Open)LDAP password leading for all passwords, but > keep Syncope for propagating users (including passwords) to target > applications? Of course, I could make all client applications > authenticate agains LDAP, but that would solve the problem only in > application layer and needs suitable applications. I'm trying to see > if this problem also has a solution in data layer. > > This hypothetical excercise would require a 2-way encrypted password > setup between OpenLDAP and Syncope. Is this a possible scenario? Would > PLAINTEXT Passwords in LDAP be the only solution? Maybe changing PWM > so that the password would be AES encrypted into a pwd transport > attribute, which could be picked up by Syncope and propagated to LDAP > and other applications? > > Of course, I'm looking at NetIQ/eDir/SSPR as a commercial example IdM > system for my question. It would be nice if Syncope+OpenLDAP+PWM could > do this trick as well ;) > > Regards, > Martin > -- > If 'but' was any useful, it would be a logic operator -- If 'but' was any useful, it would be a logic operator
PWM as password manager
Hi, I'd like to use PWM for Password Self-service management, but that will only let me set passwords for users in an LDAP server. https://code.google.com/p/pwm/ How would I make (Open)LDAP password leading for all passwords, but keep Syncope for propagating users (including passwords) to target applications? Of course, I could make all client applications authenticate agains LDAP, but that would solve the problem only in application layer and needs suitable applications. I'm trying to see if this problem also has a solution in data layer. This hypothetical excercise would require a 2-way encrypted password setup between OpenLDAP and Syncope. Is this a possible scenario? Would PLAINTEXT Passwords in LDAP be the only solution? Maybe changing PWM so that the password would be AES encrypted into a pwd transport attribute, which could be picked up by Syncope and propagated to LDAP and other applications? Of course, I'm looking at NetIQ/eDir/SSPR as a commercial example IdM system for my question. It would be nice if Syncope+OpenLDAP+PWM could do this trick as well ;) Regards, Martin -- If 'but' was any useful, it would be a logic operator
Re: Can't change password.cipher.algorithm into AES in console configuration
Thx, workaround 1 did the job! ;) Regards, Martin On Mon, Oct 27, 2014 at 1:39 PM, Francesco Chicchiriccò wrote: > On 27/10/2014 13:17, Martin van Es wrote: >> >> Hi, >> >> I've just started looking at Syncope again and installed 1.2.0 from >> debian packages on a fresh ubuntu 14.04LTS server. All works well, and >> I'm able to propagate a test user to a test OpenLDAP server, but not >> without reentering the user's password. >> >> I thought Syncope had acquired possibility to 2-way encrypt syncope >> password with AES so that it could be propagated? >> >> When I look at the Syncope configuration parameters in console, I see >> password.cipher.algorithm set to SHA1, so that probably should be set >> to AES. But whenever I do that and click "save", when I return to the >> configuration page, it's set to SHA1 again. I found the corresponding >> setting in content.xml in the syncope/WEB-INF/class directory, but >> changing that to AES and restarting tomcat didn't help either (still >> SHA1). >> >> What am I doing wrong? > > > Hi Martin, > you are right, using AES to propagate password values without re-entering is > supported since 1.1.0 [1]. > > The problem you are experiencing ATM is SYNCOPE-576 [2] whose fix is planned > for 1.2.1. > > The content.xml is transferred to the actual database only when no > pre-existing content is found on it, so here's why you keep seeing SHA1; > should you need to change any configuration file, please consider that using > Syncope 1.2.0 DEB packages you can just go and modify it under > /etc/apache-syncope, then restart Tomcat. > > While waiting for SYNCOPE-576 you still have option to > > 1. change this value via REST (see reference [3] for more information) - > e.g. via > > curl -u admin:password -X PUT -H "Content-Type: application/json" -H > "Accept: application/json" -d '{"values": ["AES"]}' > http://host.port/syncope/rest/configurations/password.cipher.algorithm > > 2. change this value in the underlying database table and restart Tomcat > > HTH > Regards. > > [1] https://issues.apache.org/jira/browse/SYNCOPE-136 > [2] https://issues.apache.org/jira/browse/SYNCOPE-576 > [3] http://syncope.apache.org/rest/1.2/index.html > > -- > Francesco Chicchiriccò > > Tirasa - Open Source Excellence > http://www.tirasa.net/ > > Involved at The Apache Software Foundation: > member, Syncope PMC chair, Cocoon PMC, Olingo PMC > http://people.apache.org/~ilgrosso/ > > -- If 'but' was any useful, it would be a logic operator
Re: Can't change password.cipher.algorithm into AES in console configuration
On 27/10/2014 13:17, Martin van Es wrote: Hi, I've just started looking at Syncope again and installed 1.2.0 from debian packages on a fresh ubuntu 14.04LTS server. All works well, and I'm able to propagate a test user to a test OpenLDAP server, but not without reentering the user's password. I thought Syncope had acquired possibility to 2-way encrypt syncope password with AES so that it could be propagated? When I look at the Syncope configuration parameters in console, I see password.cipher.algorithm set to SHA1, so that probably should be set to AES. But whenever I do that and click "save", when I return to the configuration page, it's set to SHA1 again. I found the corresponding setting in content.xml in the syncope/WEB-INF/class directory, but changing that to AES and restarting tomcat didn't help either (still SHA1). What am I doing wrong? Hi Martin, you are right, using AES to propagate password values without re-entering is supported since 1.1.0 [1]. The problem you are experiencing ATM is SYNCOPE-576 [2] whose fix is planned for 1.2.1. The content.xml is transferred to the actual database only when no pre-existing content is found on it, so here's why you keep seeing SHA1; should you need to change any configuration file, please consider that using Syncope 1.2.0 DEB packages you can just go and modify it under /etc/apache-syncope, then restart Tomcat. While waiting for SYNCOPE-576 you still have option to 1. change this value via REST (see reference [3] for more information) - e.g. via curl -u admin:password -X PUT -H "Content-Type: application/json" -H "Accept: application/json" -d '{"values": ["AES"]}' http://host.port/syncope/rest/configurations/password.cipher.algorithm 2. change this value in the underlying database table and restart Tomcat HTH Regards. [1] https://issues.apache.org/jira/browse/SYNCOPE-136 [2] https://issues.apache.org/jira/browse/SYNCOPE-576 [3] http://syncope.apache.org/rest/1.2/index.html -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Involved at The Apache Software Foundation: member, Syncope PMC chair, Cocoon PMC, Olingo PMC http://people.apache.org/~ilgrosso/
Can't change password.cipher.algorithm into AES in console configuration
Hi, I've just started looking at Syncope again and installed 1.2.0 from debian packages on a fresh ubuntu 14.04LTS server. All works well, and I'm able to propagate a test user to a test OpenLDAP server, but not without reentering the user's password. I thought Syncope had acquired possibility to 2-way encrypt syncope password with AES so that it could be propagated? When I look at the Syncope configuration parameters in console, I see password.cipher.algorithm set to SHA1, so that probably should be set to AES. But whenever I do that and click "save", when I return to the configuration page, it's set to SHA1 again. I found the corresponding setting in content.xml in the syncope/WEB-INF/class directory, but changing that to AES and restarting tomcat didn't help either (still SHA1). What am I doing wrong? Best regards, Martin -- If 'but' was any useful, it would be a logic operator
Re: Cant able to create user in Active directory through apache syncope.
Il 27/10/2014 02:10, Harsh Sharma ha scritto: Hey Fabio, Whenever I am removing value for membership property and saving it , it automatically sets to same user principal value when I open it again. Should I assign it manually to some other value ? Hi Harsh, you can remove a valu by following steps: 1. add a new empty value (click on +) 2. remove the wrong older one (click on -) 3. save. Best regards, F. Regards, Harsh Sharma On Sat, Oct 25, 2014 at 11:42 AM, Fabio Martelli mailto:fabio.marte...@gmail.com>> wrote: Hi Harsh, your are right, sorry. Password mapping is correct. It seems that the problem occurs during 'group administrator' assignment. Taking a look at your connector conf I see that you set user principal as membership. Please review your conf removing value for memberships property. Regards, F. Il 24 ottobre 2014 19:30:16 CEST, Harsh Sharma mailto:harsh.ksharma1...@gmail.com>> ha scritto: Hey, I think as the password is in encrypted form , that why the password field is like that : Attribute: {Name=__PASSWORD__, Value=[org.identityconnectors.common.security.GuardedString@f0b270c2]} Yes I mapped the password mapping and also selected the password checkbox. attaching user mapping screanshot. Confirm if it is correct. Regards, Harsh On Fri, Oct 24, 2014 at 9:55 PM, Fabio Martelli mailto:fabio.marte...@gmail.com>> wrote: Il 24/10/2014 12:59, Harsh Sharma ha scritto: Hey, Please find the attached core-connid.log and the snapshot of the error message when I created a user named "google". Hi Harsh, it seems you are missing password. Not unicodePwd but __PASSWORD__ attribute. Did you mapped password attribute by using the checkbox? Regards, F. Also in core-rest.log I am getting this warning message "09:54:38.989 WARN org.apache.syncope.core.persistence.validation.entity.EntityValidationListener - Bean validation errors found: [ConstraintViolationImpl{interpolatedMessage='InvalidUsername;Username does not match pattern', propertyPath=username, rootBeanClass=class org.apache.syncope.core.persistence.beans.user.SyncopeUser, messageTemplate='InvalidUsername;Username does not match pattern'}] " Regards, Harsh Sharma On Thu, Oct 23, 2014 at 12:34 PM, Fabio Martelli mailto:fabio.marte...@gmail.com>> wrote: Hi Harsh, your configuration seems good, btw provided info is not enough to make a complete diagnosis. Can you send core-connid.log file? Regards, F. Il 22/10/2014 23:48, Harsh Sharma ha scritto: Hey Francesco, Now when I am creating a user in Syncope it is reflecting in Active directory, but when I create user it always show error propagation failure in Active Directory( javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - 207D: UpdErr: DSID-0315166D, problem 6002 (OBJ_CLASS_VIOLATION), data 31 �]; remaining name 'cn=Administrator,cn=Users,dc=testmnet,dc=com' Cause: [LDAP: error code 65 - 207D: UpdErr: DSID-0315166D, problem 6002 (OBJ_CLASS_VIOLATION), data 31 ). The user is reflecting in Active directory but this error always appears. Also when I am deleting user in Active directory it is not reflecting in syncope, I mean it is still present in syncope.(I have defined a synchronized task already). Attaching log with this mail. Also my syncope version is 1.2.0 AD connector version 1.1.3 Active directory version (objectVersion: 69; ) AD connector configuration properties and * AD resource mapping are attached as snapshot On Mon, Oct 20, 2014 at 2:10 PM, Francesco Chicchiriccò mailto:ilgro...@apache.org>> wrote: On 19/10/2014 14:42, Harsh Sharma wrote: Hello, I am connecting apache syncope to active directory. I am able to retrieve Users from Active directory. I can change password and other attributes of the retrieved users, But I am not able to create user in active directory. I mean whenever I am creating user in apache syncope and saving it, it is giving