Re: Random Password Generation

Marco Di Sabatino Di Diodoro Mon, 01 Jun 2020 06:26:08 -0700

Hi

Inline reply


Il 29/05/20 14:57, PortalGuard ha scritto:

Hello Everyone,

This is my first ever post on any forum so please excuse any mistakes or
faux pas.

Currently, I am able to create an account in AD when a password is set for
that user in Syncope, but I am unable to create an account in AD if a
password is not set. I figured using the 'Generate Random passwords when
missing' feature for an Active Directory resource would resolve this issue
but so far I am unable to create an account. Below is the error I am
receiving when attempting to create an account in AD without a password and
with the 'Generate Random Password when missing feature' enabled:

"Users failed to create: CREATE FAILURE (key/name):
aa44b786-9089-43ab-84b7-86908913aba2/testaccount with message:
javax.naming.OperationNotSupportedException: [LDAP: error code 53 -
0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0
]; remaining name 'CN=testaccount,CN=Users,DC=Hyrule,DC=int'
  Cause: [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A1236, problem 5003
(WILL_NOT_PERFORM), data 0"

I suggest you to see exactly what syncope sends to the AD resource. So Iask you to check the core-connid logs or the propagation task that hasbeen generated.

If there is a password in the propagation task, it means that thegenerated password doesn't reflect the Password Policy present on ActiveDirectory. My suggestion is to add a password policy on Syncope, so thatthe generated password is correct.

Usually if you propagate a user without a password, the user on ActiveDirectory is correctly created but is disabled.


Please, check the logs and try to add password policy.

Regards
Marco


Here are the configs for my AD Connector and Resource.

Connector:

{
   "key" : "79e9e401-214c-4647-a9e4-01214c56475c",
   "adminRealm" : "/",
   "location" : "file:/opt/syncope/bundles/",
   "connectorName" : "net.tirasa.connid.bundles.ad.ADConnector",
   "bundleName" : "net.tirasa.connid.bundles.ad",
   "version" : "1.3.6",
   "displayName" : "Hyrule AD",
   "connRequestTimeout" : 10,
   "poolConf" : null,
   "conf" : [ {
     "schema" : {
       "name" : "host",
       "displayName" : "Server hostname",
       "helpMessage" : "Insert hostname",
       "type" : "java.lang.String",
       "required" : true,
       "order" : 1,
       "confidential" : false,
       "defaultValues" : [ ]
     },
     "overridable" : false,
     "values" : [ "DEV2019.Hyrule.int" ]
   }, {
     "schema" : {
       "name" : "ssl",
       "displayName" : "SSL",
       "helpMessage" : "User SSL to perform password provisioning",
       "type" : "boolean",
       "required" : false,
       "order" : 1,
       "confidential" : false,
       "defaultValues" : [ true ]
     },
     "overridable" : false,
     "values" : [ true ]
   }, {
     "schema" : {
       "name" : "memberships",
       "displayName" : "Memberships",
       "helpMessage" : "Specify memberships",
       "type" : "[Ljava.lang.String;",
       "required" : false,
       "order" : 1,
       "confidential" : false,
       "defaultValues" : [ ]
     },
     "overridable" : false,
     "values" : [ ]
   }, {
     "schema" : {
       "name" : "retrieveDeletedUser",
       "displayName" : "Retrieve deleted users",
       "helpMessage" : "Specify TRUE to retrieve deleted users also. The
default is \"true\".",
       "type" : "boolean",
       "required" : false,
       "order" : 2,
       "confidential" : false,
       "defaultValues" : [ true ]
     },
     "overridable" : false,
     "values" : [ true ]
   }, {
     "schema" : {
       "name" : "port",
       "displayName" : "Server port",
       "helpMessage" : "Insert port. The default is 636.",
       "type" : "int",
       "required" : false,
       "order" : 2,
       "confidential" : false,
       "defaultValues" : [ 636 ]
     },
     "overridable" : false,
     "values" : [ "636" ]
   }, {
     "schema" : {
       "name" : "retrieveDeletedGroup",
       "displayName" : "Retrieve deleted groups",
       "helpMessage" : "Specify TRUE to retrieve deleted groups also",
       "type" : "boolean",
       "required" : false,
       "order" : 3,
       "confidential" : false,
       "defaultValues" : [ true ]
     },
     "overridable" : false,
     "values" : [ true ]
   }, {
     "schema" : {
       "name" : "trustAllCerts",
       "displayName" : "Trust all certs",
       "helpMessage" : "Specify TRUE to trust all certs. The default is
\"false\".",
       "type" : "boolean",
       "required" : false,
       "order" : 4,
       "confidential" : false,
       "defaultValues" : [ false ]
     },
     "overridable" : false,
     "values" : [ "true" ]
   }, {
     "schema" : {
       "name" : "failover",
       "displayName" : "Failover",
       "helpMessage" : "Failover host:port",
       "type" : "[Ljava.lang.String;",
       "required" : false,
       "order" : 4,
       "confidential" : false,
       "defaultValues" : [ ]
     },
     "overridable" : false,
     "values" : [ ]
   }, {
     "schema" : {
       "name" : "principal",
       "displayName" : "Principal",
       "helpMessage" : "Insert DN of a user with administration
capabilities",
       "type" : "java.lang.String",
       "required" : false,
       "order" : 5,
       "confidential" : false,
       "defaultValues" : [ ]
     },
     "overridable" : false,
     "values" : [ "CN=Administrator,CN=Users,DC=Hyrule,DC=int" ]
   }, {
     "schema" : {
       "name" : "membershipsInOr",
       "displayName" : "Verify memberships in OR",
       "helpMessage" : "Specify TRUE if you want to verify memberships using
OR logical operator. The default is \"false\".",
       "type" : "boolean",
       "required" : false,
       "order" : 5,
       "confidential" : false,
       "defaultValues" : [ false ]
     },
     "overridable" : false,
     "values" : [ false ]
   }, {
     "schema" : {
       "name" : "credentials",
       "displayName" : "Principal password",
       "helpMessage" : "Insert password for administrator",
       "type" : "org.identityconnectors.common.security.GuardedString",
       "required" : false,
       "order" : 6,
       "confidential" : true,
       "defaultValues" : [ ]
     },
     "overridable" : false,
     "values" : [ "GenPW123!" ]
   }, {
     "schema" : {
       "name" : "baseContextsToSynchronize",
       "displayName" : "Root suffixes",
       "helpMessage" : "Insert root suffixes",
       "type" : "[Ljava.lang.String;",
       "required" : true,
       "order" : 6,
       "confidential" : false,
       "defaultValues" : [ ]
     },
     "overridable" : false,
     "values" : [ "DC=Hyrule,DC=int" ]
   }, {
     "schema" : {
       "name" : "defaultPeopleContainer",
       "displayName" : "Default people container",
       "helpMessage" : "Default people container to be used in case of entry
DN is not provided",
       "type" : "java.lang.String",
       "required" : false,
       "order" : 7,
       "confidential" : false,
       "defaultValues" : [ ]
     },
     "overridable" : false,
     "values" : [ "CN=Users,DC=Hyrule,DC=int" ]
   }, {
     "schema" : {
       "name" : "defaultGroupContainer",
       "displayName" : "Default group container",
       "helpMessage" : "Default group container to be used in case of entry
DN is not provided",
       "type" : "java.lang.String",
       "required" : false,
       "order" : 8,
       "confidential" : false,
       "defaultValues" : [ ]
     },
     "overridable" : false,
     "values" : [ "CN=Goups,DC=Hyrule,DC=int" ]
   }, {
     "schema" : {
       "name" : "accountObjectClasses",
       "displayName" : "Entry object classes",
       "helpMessage" : "Insert object classes to assign to managed entries",
       "type" : "[Ljava.lang.String;",
       "required" : false,
       "order" : 9,
       "confidential" : false,
       "defaultValues" : [ "top", "person", "organizationalPerson",
"inetOrgPerson" ]
     },
     "overridable" : false,
     "values" : [ "top", "person", "organizationalPerson", "inetOrgPerson",
"OrganizationalUnit" ]
   }, {
     "schema" : {
       "name" : "userSearchScope",
       "displayName" : "User search scope",
       "helpMessage" : "Choose object, onlevel or subtree",
       "type" : "java.lang.String",
       "required" : false,
       "order" : 9,
       "confidential" : false,
       "defaultValues" : [ "subtree" ]
     },
     "overridable" : false,
     "values" : [ "subtree" ]
   }, {
     "schema" : {
       "name" : "groupSearchScope",
       "displayName" : "Group search scope",
       "helpMessage" : "Choose object, onlevel or subtree",
       "type" : "java.lang.String",
       "required" : false,
       "order" : 10,
       "confidential" : false,
       "defaultValues" : [ "subtree" ]
     },
     "overridable" : false,
     "values" : [ "subtree" ]
   }, {
     "schema" : {
       "name" : "accountSearchFilter",
       "displayName" : "Custom user search filter",
       "helpMessage" : "Custom user search filter",
       "type" : "java.lang.String",
       "required" : false,
       "order" : 11,
       "confidential" : false,
       "defaultValues" : [ ]
     },
     "overridable" : false,
     "values" : [ ]
   }, {
     "schema" : {
       "name" : "groupSearchFilter",
       "displayName" : "Custom group search filter",
       "helpMessage" : "Custom group search filter",
       "type" : "java.lang.String",
       "required" : false,
       "order" : 11,
       "confidential" : false,
       "defaultValues" : [ ]
     },
     "overridable" : false,
     "values" : [ ]
   }, {
     "schema" : {
       "name" : "groupBaseContexts",
       "displayName" : "Base contexts for group entry searches",
       "helpMessage" : "DN of context to be used as starting point for group
entry searches",
       "type" : "[Ljava.lang.String;",
       "required" : false,
       "order" : 12,
       "confidential" : false,
       "defaultValues" : [ ]
     },
     "overridable" : false,
     "values" : [ "CN=Groups,DC=Hyrule,DC=int" ]
   }, {
     "schema" : {
       "name" : "userBaseContexts",
       "displayName" : "Base contexts for user entry searches",
       "helpMessage" : "DN of context to be used as starting point for user
entry searches",
       "type" : "[Ljava.lang.String;",
       "required" : false,
       "order" : 13,
       "confidential" : false,
       "defaultValues" : [ ]
     },
     "overridable" : false,
     "values" : [ "CN=Users,DC=Hyrule,DC=int" ]
   }, {
     "schema" : {
       "name" : "groupMemberReferenceAttribute",
       "displayName" : "Group members reference attribute ",
       "helpMessage" : "Group attribute referencing (by DN) the users members
of a group",
       "type" : "java.lang.String",
       "required" : false,
       "order" : 14,
       "confidential" : false,
       "defaultValues" : [ "member" ]
     },
     "overridable" : false,
     "values" : [ "member" ]
   }, {
     "schema" : {
       "name" : "groupOwnerReferenceAttribute",
       "displayName" : "Group owner reference attribute",
       "helpMessage" : "Group attribute name referencing (by DN) the owner",
       "type" : "java.lang.String",
       "required" : false,
       "order" : 15,
       "confidential" : false,
       "defaultValues" : [ "managedBy" ]
     },
     "overridable" : false,
     "values" : [ "managedBy" ]
   }, {
     "schema" : {
       "name" : "pwdUpdateOnly",
       "displayName" : "Permit password update only",
       "helpMessage" : "Specify TRUE if you want to permit password update
only: create/delete operation will be denied while other attributes update
requests will be ignored.",
       "type" : "boolean",
       "required" : true,
       "order" : 17,
       "confidential" : false,
       "defaultValues" : [ false ]
     },
     "overridable" : false,
     "values" : [ false ]
   }, {
     "schema" : {
       "name" : "membershipConservativePolicy",
       "displayName" : "Conservative membership policy",
       "helpMessage" : "Conservative managing and assignment of groups to
user. The groups already assigned will not be removed.",
       "type" : "boolean",
       "required" : false,
       "order" : 18,
       "confidential" : false,
       "defaultValues" : [ false ]
     },
     "overridable" : false,
     "values" : [ false ]
   }, {
     "schema" : {
       "name" : "defaultIdAttribute",
       "displayName" : "Default Uid",
       "helpMessage" : "The name of the attribute which is mapped to the id
attribute in case of object different from account and group. Default is
\"cn\".",
       "type" : "java.lang.String",
       "required" : false,
       "order" : 19,
       "confidential" : false,
       "defaultValues" : [ "cn" ]
     },
     "overridable" : false,
     "values" : [ "cn" ]
   }, {
     "schema" : {
       "name" : "uidAttribute",
       "displayName" : "Uid Attribute",
       "helpMessage" : "The name of the attribute which is mapped to the Uid
attribute. Default is \"sAMAccountName\".",
       "type" : "java.lang.String",
       "required" : false,
       "order" : 21,
       "confidential" : false,
       "defaultValues" : [ "sAMAccountName" ]
     },
     "overridable" : false,
     "values" : [ "cn" ]
   }, {
     "schema" : {
       "name" : "gidAttribute",
       "displayName" : "Uid Attribute for groups",
       "helpMessage" : "The name of the attribute which is mapped to the Uid
attribute for groups. Default is \"sAMAccountName\".",
       "type" : "java.lang.String",
       "required" : false,
       "order" : 22,
       "confidential" : false,
       "defaultValues" : [ "sAMAccountName" ]
     },
     "overridable" : false,
     "values" : [ "sAMAccountName" ]
   }, {
     "schema" : {
       "name" : "objectClassesToSynchronize",
       "displayName" : "Object classes to synchronize",
       "helpMessage" : "Specify object classes to identify entry to
synchronize",
       "type" : "[Ljava.lang.String;",
       "required" : false,
       "order" : 25,
       "confidential" : false,
       "defaultValues" : [ "user" ]
     },
     "overridable" : false,
     "values" : [ "user", "OrganizationalUnit" ]
   } ],
   "capabilities" : [ "SEARCH", "AUTHENTICATE", "UPDATE", "CREATE", "DELETE",
"SYNC" ]
}



Resource:
{
   "key" : "AD Resource",
   "connector" : "79e9e401-214c-4647-a9e4-01214c56475c",
   "connectorDisplayName" : "Hyrule AD",
   "orgUnit" : null,
   "propagationPriority" : 1,
   "randomPwdIfNotProvided" : true,
   "enforceMandatoryCondition" : true,
   "createTraceLevel" : "ALL",
   "updateTraceLevel" : "ALL",
   "deleteTraceLevel" : "ALL",
   "provisioningTraceLevel" : "ALL",
   "passwordPolicy" : null,
   "accountPolicy" : null,
   "pullPolicy" : null,
   "pushPolicy" : null,
   "overrideCapabilities" : false,
   "provisions" : [ {
     "key" : "5a2f4235-2fc1-4b10-af42-352fc12b1097",
     "anyType" : "GROUP",
     "objectClass" : "__GROUP__",
     "syncToken" : null,
     "ignoreCaseMatch" : true,
     "uidOnCreate" : null,
     "mapping" : {
       "connObjectLink" : "\"cn=\"+name+\",OU=Groups,DC=Hyrule,DC=int\"",
       "connObjectKeyItem" : {
         "key" : "3cebbf86-5482-4127-abbf-86548261270c",
         "intAttrName" : "name",
         "extAttrName" : "sAMAccountName",
         "connObjectKey" : true,
         "password" : false,
         "mandatoryCondition" : "true",
         "purpose" : "BOTH",
         "propagationJEXLTransformer" : null,
         "pullJEXLTransformer" : null,
         "transformers" : [ ]
       },
       "items" : [ {
         "key" : "25808e6c-edb6-475b-808e-6cedb6c75b89",
         "intAttrName" : "name",
         "extAttrName" : "description",
         "connObjectKey" : false,
         "password" : false,
         "mandatoryCondition" : "false",
         "purpose" : "BOTH",
         "propagationJEXLTransformer" : null,
         "pullJEXLTransformer" : null,
         "transformers" : [ ]
       }, {
         "key" : "3cebbf86-5482-4127-abbf-86548261270c",
         "intAttrName" : "name",
         "extAttrName" : "sAMAccountName",
         "connObjectKey" : true,
         "password" : false,
         "mandatoryCondition" : "true",
         "purpose" : "BOTH",
         "propagationJEXLTransformer" : null,
         "pullJEXLTransformer" : null,
         "transformers" : [ ]
       }, {
         "key" : "674b9738-8fc4-46b1-8b97-388fc4d6b187",
         "intAttrName" : "name",
         "extAttrName" : "cn",
         "connObjectKey" : false,
         "password" : false,
         "mandatoryCondition" : "false",
         "purpose" : "BOTH",
         "propagationJEXLTransformer" : null,
         "pullJEXLTransformer" : null,
         "transformers" : [ ]
       }, {
         "key" : "f70b1210-79ae-47d3-8b12-1079ae47d36f",
         "intAttrName" : "name",
         "extAttrName" : "sAMAccountNAme",
         "connObjectKey" : false,
         "password" : false,
         "mandatoryCondition" : "false",
         "purpose" : "BOTH",
         "propagationJEXLTransformer" : null,
         "pullJEXLTransformer" : null,
         "transformers" : [ ]
       } ],
       "linkingItems" : [ ]
     },
     "auxClasses" : [ ],
     "virSchemas" : [ ]
   }, {
     "key" : "93de39d6-b2ca-4d4c-9e39-d6b2cafd4c66",
     "anyType" : "USER",
     "objectClass" : "__ACCOUNT__",
     "syncToken" : null,
     "ignoreCaseMatch" : true,
     "uidOnCreate" : null,
     "mapping" : {
       "connObjectLink" : "\"CN=\"+username+\",CN=Users,DC=Hyrule,DC=int\"",
       "connObjectKeyItem" : {
         "key" : "c35d1ea1-e6f3-41ab-9d1e-a1e6f3e1ab65",
         "intAttrName" : "username",
         "extAttrName" : "sAMAccountName",
         "connObjectKey" : true,
         "password" : false,
         "mandatoryCondition" : "true",
         "purpose" : "BOTH",
         "propagationJEXLTransformer" : null,
         "pullJEXLTransformer" : null,
         "transformers" : [ ]
       },
       "items" : [ {
         "key" : "2c6e565f-2ecf-4007-ae56-5f2ecf30073a",
         "intAttrName" : "email",
         "extAttrName" : "mail",
         "connObjectKey" : false,
         "password" : false,
         "mandatoryCondition" : "false",
         "purpose" : "BOTH",
         "propagationJEXLTransformer" : null,
         "pullJEXLTransformer" : null,
         "transformers" : [ ]
       }, {
         "key" : "7a58c0a4-b85a-4696-98c0-a4b85a269656",
         "intAttrName" : "password",
         "extAttrName" : "__PASSWORD__",
         "connObjectKey" : false,
         "password" : true,
         "mandatoryCondition" : "true",
         "purpose" : "BOTH",
         "propagationJEXLTransformer" : null,
         "pullJEXLTransformer" : null,
         "transformers" : [ ]
       }, {
         "key" : "7e46a17e-186b-499f-86a1-7e186bc99f66",
         "intAttrName" : "AD_UPN",
         "extAttrName" : "userprincipalname",
         "connObjectKey" : false,
         "password" : false,
         "mandatoryCondition" : "false",
         "purpose" : "PROPAGATION",
         "propagationJEXLTransformer" : null,
         "pullJEXLTransformer" : null,
         "transformers" : [ ]
       }, {
         "key" : "c35d1ea1-e6f3-41ab-9d1e-a1e6f3e1ab65",
         "intAttrName" : "username",
         "extAttrName" : "sAMAccountName",
         "connObjectKey" : true,
         "password" : false,
         "mandatoryCondition" : "true",
         "purpose" : "BOTH",
         "propagationJEXLTransformer" : null,
         "pullJEXLTransformer" : null,
         "transformers" : [ ]
       } ],
       "linkingItems" : [ {
         "key" : null,
         "intAttrName" : "UPN",
         "extAttrName" : "userPrincipalName",
         "connObjectKey" : false,
         "password" : false,
         "mandatoryCondition" : "false",
         "purpose" : "BOTH",
         "propagationJEXLTransformer" : null,
         "pullJEXLTransformer" : null,
         "transformers" : [ ]
       } ]
     },
     "auxClasses" : [ ],
     "virSchemas" : [ "UPN" ]
   } ],
   "confOverride" : [ ],
   "capabilitiesOverride" : [ "SEARCH", "AUTHENTICATE", "UPDATE", "CREATE",
"DELETE", "SYNC" ],
   "propagationActions" : [ "LDAPMembershipPropogationActions" ]
}

--
Sent from: http://syncope-user.1051894.n5.nabble.com/


--
Dott. Marco Di Sabatino Di Diodoro
Tel. +39 3939065570

Tirasa S.r.l.
Viale Vittoria Colonna, 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net

Apache Syncope PMC Member
http://people.apache.org/~mdisabatino/

Re: Random Password Generation

Reply via email to