Hi Martin,
here's some reply to your questions below.
This hypothetical excercise would require a 2-way encrypted password setup
between OpenLDAP and Syncope. Is this a possible scenario? Would PLAINTEXT
Passwords in LDAP be the only solution?
With Syncope 1.2.0 you can synchronize encrypted passwords from LDAP or
DB resource and propagate (using the same cipher algorithm, of course)
again to other LDAP / DB resources.
For this to happen, usage of LDAPPasswordSyncActions /
DBPasswordSyncActions (for synchronization) and
LDAPPasswordPropagationActions / DBPasswordPropagationActions is required.
Another option could be usage of passthrough authentication, again
available with Syncope 1.2.0: you have the chance to define, in a
relevant Account Policy, whether authentication (to Syncope core and
console) is to be checked against one or more of external resources
available.
I just learned that the connid LDAP connector does not support sync, unless
you're using Sun Directory Server Enterprise
Edition? Is this true? Is there no sync possible from LDAP?
In Syncope two types of synchronizations are supported (more info [1]),
full (calling SEARCH on connectors to get all existing accounts /
groups) and incremental (calling SYNC on connectors to get all modified
accounts / groups since previous synchronization).
The former is not as accurate as latter (for example, it cannot identify
any delete on external resource) and also not as efficient (at every
execution the whole content is requested by Syncope).
The ConnId LDAP connector supports actual SYNC operation from former Sun
DSEE (now Oracle DSEE), OpenDS / OpenDJ and Fedora 389 - and at least
the latter is actually Open Source ;-)
About OpenLDAP, there is a long-standing open issue [2] at ConnId about
supporting SYNC - should you be interested in contributing, please join
the discussion at connid-...@googelgroups.com.
Of course, I'm looking at NetIQ/eDir/SSPR as a commercial example IdM system
for my question. It would be nice if Syncope+OpenLDAP+PWM could do this trick
as well ;)
Well, should you succeed with a working setup satisfying the
requirements you have in mind, it would be really nice to host a page on
our wiki under the "How do I...?" section [3].
Regards.
[1] https://cwiki.apache.org/confluence/display/SYNCOPE/Synchronization
[2] https://connid.atlassian.net/browse/LDAP-1
[3]
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=27841983
On 27/10/2014 22:52, Martin van Es wrote:
To answer myself, I thought I could tackle this by setting the
password plaintext in LDAP using PWM (using a plaintext password_hash
rule in slapd) and then sync it to Syncope and have it set by it's
SSHA equivalent while propagating the change back to the directory.
This way, the plaintext password would only exist in LDAP in a small
time window between syncs?
But alas, I just learned that the connid LDAP connector does not
support sync, unless you're using Sun Directory Server Enterprise
Edition? Is this true? Is there no sync possible from LDAP?
Regards,
Martin
On Mon, Oct 27, 2014 at 7:53 PM, Martin van Es <mrva...@gmail.com> wrote:
Hi,
I'd like to use PWM for Password Self-service management, but that
will only let me set passwords for users in an LDAP server.
https://code.google.com/p/pwm/
How would I make (Open)LDAP password leading for all passwords, but
keep Syncope for propagating users (including passwords) to target
applications? Of course, I could make all client applications
authenticate agains LDAP, but that would solve the problem only in
application layer and needs suitable applications. I'm trying to see
if this problem also has a solution in data layer.
This hypothetical excercise would require a 2-way encrypted password
setup between OpenLDAP and Syncope. Is this a possible scenario? Would
PLAINTEXT Passwords in LDAP be the only solution? Maybe changing PWM
so that the password would be AES encrypted into a pwd transport
attribute, which could be picked up by Syncope and propagated to LDAP
and other applications?
Of course, I'm looking at NetIQ/eDir/SSPR as a commercial example IdM
system for my question. It would be nice if Syncope+OpenLDAP+PWM could
do this trick as well ;)
Regards,
Martin
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/
