Re: PWM as password manager
To answer myself, I thought I could tackle this by setting the password plaintext in LDAP using PWM (using a plaintext password_hash rule in slapd) and then sync it to Syncope and have it set by it's SSHA equivalent while propagating the change back to the directory. This way, the plaintext password would only exist in LDAP in a small time window between syncs? But alas, I just learned that the connid LDAP connector does not support sync, unless you're using Sun Directory Server Enterprise Edition? Is this true? Is there no sync possible from LDAP? Regards, Martin On Mon, Oct 27, 2014 at 7:53 PM, Martin van Es wrote: > Hi, > > I'd like to use PWM for Password Self-service management, but that > will only let me set passwords for users in an LDAP server. > > https://code.google.com/p/pwm/ > > How would I make (Open)LDAP password leading for all passwords, but > keep Syncope for propagating users (including passwords) to target > applications? Of course, I could make all client applications > authenticate agains LDAP, but that would solve the problem only in > application layer and needs suitable applications. I'm trying to see > if this problem also has a solution in data layer. > > This hypothetical excercise would require a 2-way encrypted password > setup between OpenLDAP and Syncope. Is this a possible scenario? Would > PLAINTEXT Passwords in LDAP be the only solution? Maybe changing PWM > so that the password would be AES encrypted into a pwd transport > attribute, which could be picked up by Syncope and propagated to LDAP > and other applications? > > Of course, I'm looking at NetIQ/eDir/SSPR as a commercial example IdM > system for my question. It would be nice if Syncope+OpenLDAP+PWM could > do this trick as well ;) > > Regards, > Martin > -- > If 'but' was any useful, it would be a logic operator -- If 'but' was any useful, it would be a logic operator
PWM as password manager
Hi, I'd like to use PWM for Password Self-service management, but that will only let me set passwords for users in an LDAP server. https://code.google.com/p/pwm/ How would I make (Open)LDAP password leading for all passwords, but keep Syncope for propagating users (including passwords) to target applications? Of course, I could make all client applications authenticate agains LDAP, but that would solve the problem only in application layer and needs suitable applications. I'm trying to see if this problem also has a solution in data layer. This hypothetical excercise would require a 2-way encrypted password setup between OpenLDAP and Syncope. Is this a possible scenario? Would PLAINTEXT Passwords in LDAP be the only solution? Maybe changing PWM so that the password would be AES encrypted into a pwd transport attribute, which could be picked up by Syncope and propagated to LDAP and other applications? Of course, I'm looking at NetIQ/eDir/SSPR as a commercial example IdM system for my question. It would be nice if Syncope+OpenLDAP+PWM could do this trick as well ;) Regards, Martin -- If 'but' was any useful, it would be a logic operator
Re: Can't change password.cipher.algorithm into AES in console configuration
Thx, workaround 1 did the job! ;)
Regards,
Martin
On Mon, Oct 27, 2014 at 1:39 PM, Francesco Chicchiriccò
wrote:
> On 27/10/2014 13:17, Martin van Es wrote:
>>
>> Hi,
>>
>> I've just started looking at Syncope again and installed 1.2.0 from
>> debian packages on a fresh ubuntu 14.04LTS server. All works well, and
>> I'm able to propagate a test user to a test OpenLDAP server, but not
>> without reentering the user's password.
>>
>> I thought Syncope had acquired possibility to 2-way encrypt syncope
>> password with AES so that it could be propagated?
>>
>> When I look at the Syncope configuration parameters in console, I see
>> password.cipher.algorithm set to SHA1, so that probably should be set
>> to AES. But whenever I do that and click "save", when I return to the
>> configuration page, it's set to SHA1 again. I found the corresponding
>> setting in content.xml in the syncope/WEB-INF/class directory, but
>> changing that to AES and restarting tomcat didn't help either (still
>> SHA1).
>>
>> What am I doing wrong?
>
>
> Hi Martin,
> you are right, using AES to propagate password values without re-entering is
> supported since 1.1.0 [1].
>
> The problem you are experiencing ATM is SYNCOPE-576 [2] whose fix is planned
> for 1.2.1.
>
> The content.xml is transferred to the actual database only when no
> pre-existing content is found on it, so here's why you keep seeing SHA1;
> should you need to change any configuration file, please consider that using
> Syncope 1.2.0 DEB packages you can just go and modify it under
> /etc/apache-syncope, then restart Tomcat.
>
> While waiting for SYNCOPE-576 you still have option to
>
> 1. change this value via REST (see reference [3] for more information) -
> e.g. via
>
> curl -u admin:password -X PUT -H "Content-Type: application/json" -H
> "Accept: application/json" -d '{"values": ["AES"]}'
> http://host.port/syncope/rest/configurations/password.cipher.algorithm
>
> 2. change this value in the underlying database table and restart Tomcat
>
> HTH
> Regards.
>
> [1] https://issues.apache.org/jira/browse/SYNCOPE-136
> [2] https://issues.apache.org/jira/browse/SYNCOPE-576
> [3] http://syncope.apache.org/rest/1.2/index.html
>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
>
> Involved at The Apache Software Foundation:
> member, Syncope PMC chair, Cocoon PMC, Olingo PMC
> http://people.apache.org/~ilgrosso/
>
>
--
If 'but' was any useful, it would be a logic operator
Re: Can't change password.cipher.algorithm into AES in console configuration
On 27/10/2014 13:17, Martin van Es wrote:
Hi,
I've just started looking at Syncope again and installed 1.2.0 from
debian packages on a fresh ubuntu 14.04LTS server. All works well, and
I'm able to propagate a test user to a test OpenLDAP server, but not
without reentering the user's password.
I thought Syncope had acquired possibility to 2-way encrypt syncope
password with AES so that it could be propagated?
When I look at the Syncope configuration parameters in console, I see
password.cipher.algorithm set to SHA1, so that probably should be set
to AES. But whenever I do that and click "save", when I return to the
configuration page, it's set to SHA1 again. I found the corresponding
setting in content.xml in the syncope/WEB-INF/class directory, but
changing that to AES and restarting tomcat didn't help either (still
SHA1).
What am I doing wrong?
Hi Martin,
you are right, using AES to propagate password values without
re-entering is supported since 1.1.0 [1].
The problem you are experiencing ATM is SYNCOPE-576 [2] whose fix is
planned for 1.2.1.
The content.xml is transferred to the actual database only when no
pre-existing content is found on it, so here's why you keep seeing SHA1;
should you need to change any configuration file, please consider that
using Syncope 1.2.0 DEB packages you can just go and modify it under
/etc/apache-syncope, then restart Tomcat.
While waiting for SYNCOPE-576 you still have option to
1. change this value via REST (see reference [3] for more information)
- e.g. via
curl -u admin:password -X PUT -H "Content-Type: application/json" -H
"Accept: application/json" -d '{"values": ["AES"]}'
http://host.port/syncope/rest/configurations/password.cipher.algorithm
2. change this value in the underlying database table and restart Tomcat
HTH
Regards.
[1] https://issues.apache.org/jira/browse/SYNCOPE-136
[2] https://issues.apache.org/jira/browse/SYNCOPE-576
[3] http://syncope.apache.org/rest/1.2/index.html
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/
Can't change password.cipher.algorithm into AES in console configuration
Hi, I've just started looking at Syncope again and installed 1.2.0 from debian packages on a fresh ubuntu 14.04LTS server. All works well, and I'm able to propagate a test user to a test OpenLDAP server, but not without reentering the user's password. I thought Syncope had acquired possibility to 2-way encrypt syncope password with AES so that it could be propagated? When I look at the Syncope configuration parameters in console, I see password.cipher.algorithm set to SHA1, so that probably should be set to AES. But whenever I do that and click "save", when I return to the configuration page, it's set to SHA1 again. I found the corresponding setting in content.xml in the syncope/WEB-INF/class directory, but changing that to AES and restarting tomcat didn't help either (still SHA1). What am I doing wrong? Best regards, Martin -- If 'but' was any useful, it would be a logic operator
Re: Cant able to create user in Active directory through apache syncope.
Il 27/10/2014 02:10, Harsh Sharma ha scritto:
Hey Fabio,
Whenever I am removing value for membership property and saving it ,
it automatically sets to same user principal value when I open it
again. Should I assign it manually to some other value ?
Hi Harsh, you can remove a valu by following steps:
1. add a new empty value (click on +)
2. remove the wrong older one (click on -)
3. save.
Best regards,
F.
Regards,
Harsh Sharma
On Sat, Oct 25, 2014 at 11:42 AM, Fabio Martelli
mailto:fabio.marte...@gmail.com>> wrote:
Hi Harsh, your are right, sorry. Password mapping is correct.
It seems that the problem occurs during 'group administrator'
assignment. Taking a look at your connector conf I see that you
set user principal as membership. Please review your conf removing
value for memberships property.
Regards,
F.
Il 24 ottobre 2014 19:30:16 CEST, Harsh Sharma
mailto:harsh.ksharma1...@gmail.com>>
ha scritto:
Hey,
I think as the password is in encrypted form , that why the
password field is like that :
Attribute: {Name=__PASSWORD__,
Value=[org.identityconnectors.common.security.GuardedString@f0b270c2]}
Yes I mapped the password mapping and also selected the password
checkbox.
attaching user mapping screanshot. Confirm if it is correct.
Regards,
Harsh
On Fri, Oct 24, 2014 at 9:55 PM, Fabio Martelli
mailto:fabio.marte...@gmail.com>>
wrote:
Il 24/10/2014 12:59, Harsh Sharma ha scritto:
Hey,
Please find the attached core-connid.log and the snapshot
of the error message when I created a user named "google".
Hi Harsh, it seems you are missing password.
Not unicodePwd but __PASSWORD__ attribute. Did you mapped
password attribute by using the checkbox?
Regards,
F.
Also in core-rest.log I am getting this warning message
"09:54:38.989 WARN
org.apache.syncope.core.persistence.validation.entity.EntityValidationListener
- Bean validation errors found:
[ConstraintViolationImpl{interpolatedMessage='InvalidUsername;Username
does not match pattern', propertyPath=username,
rootBeanClass=class
org.apache.syncope.core.persistence.beans.user.SyncopeUser,
messageTemplate='InvalidUsername;Username does not match
pattern'}]
"
Regards,
Harsh Sharma
On Thu, Oct 23, 2014 at 12:34 PM, Fabio Martelli
mailto:fabio.marte...@gmail.com>> wrote:
Hi Harsh, your configuration seems good, btw provided
info is not enough to make a complete diagnosis.
Can you send core-connid.log file?
Regards,
F.
Il 22/10/2014 23:48, Harsh Sharma ha scritto:
Hey Francesco,
Now when I am creating a user in Syncope it is
reflecting in Active directory, but when I create
user it always show error propagation failure in
Active Directory(
javax.naming.directory.SchemaViolationException: [LDAP: error
code 65 - 207D: UpdErr: DSID-0315166D, problem 6002 (OBJ_CLASS_VIOLATION),
data 31
�]; remaining name
'cn=Administrator,cn=Users,dc=testmnet,dc=com'
Cause: [LDAP: error code 65 - 207D: UpdErr:
DSID-0315166D, problem 6002 (OBJ_CLASS_VIOLATION), data 31
). The user is reflecting in Active directory but
this error always appears.
Also when I am deleting user in Active directory it
is not reflecting in syncope, I mean it is still
present in syncope.(I have defined a synchronized
task already).
Attaching log with this mail.
Also my syncope version is 1.2.0
AD connector version 1.1.3
Active directory version (objectVersion: 69; )
AD connector configuration properties and * AD
resource mapping are attached as snapshot
On Mon, Oct 20, 2014 at 2:10 PM, Francesco
Chicchiriccò mailto:ilgro...@apache.org>> wrote:
On 19/10/2014 14:42, Harsh Sharma wrote:
Hello,
I am connecting apache syncope to active
directory. I am able to
retrieve Users from Active directory. I can
change password and other
attributes of the retrieved users, But I am not
able to create user in
active directory. I mean whenever I am creating
user in apache syncope
and saving it, it is giving
