You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@syncope.apache.org by "Francesco Chicchiriccò (JIRA)" <ji...@apache.org> on 2013/12/03 17:54:48 UTC
[jira] [Commented] (SYNCOPE-454) Update user without password
specification involving resource with "Generate password if missing"
enabled, sends password out anyway
[ https://issues.apache.org/jira/browse/SYNCOPE-454?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13837895#comment-13837895 ]
Francesco Chicchiriccò commented on SYNCOPE-454:
------------------------------------------------
Simple code for showing this issue:
{code}
// 1. create user with LDAP resource (with 'Generate password if missing' enabled)
UserTO userTO = getUniqueSampleTO("syncope454@syncope.apache.org");
userTO.getResources().add(RESOURCE_NAME_LDAP);
userTO = createUser(userTO);
assertNotNull(userTO);
// 2. read resource configuration for LDAP binding
ResourceTO ldapRes = resourceService.read(RESOURCE_NAME_LDAP);
Map<String, ConnConfProperty> ldapConnConf = connectorService.read(ldapRes.getConnectorId()).getConfigurationMap();
ConnObjectTO connObject = resourceService.getConnectorObject(RESOURCE_NAME_LDAP, AttributableType.USER, userTO.getId());
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://" + ldapConnConf.get("host").getValues().get(0)
+ ":" + ldapConnConf.get("port").getValues().get(0) + "/");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, connObject.getAttrMap().get("__NAME__").getValues().get(0));
env.put(Context.SECURITY_CREDENTIALS, "password123");
// 3. try (and succeed) to perform simple LDAP binding with provided password ('password123')
new InitialDirContext(env);
// 4. update user without any password change request
UserMod userMod = new UserMod();
userMod.setId(userTO.getId());
userMod.setUsername(userTO.getUsername() + "XX");
userService.update(userTO.getId(), userMod);
// 5. try (and fail) to perform simple LDAP binding: password has changed
new InitialDirContext(env);
{code}
> Update user without password specification involving resource with "Generate password if missing" enabled, sends password out anyway
> ------------------------------------------------------------------------------------------------------------------------------------
>
> Key: SYNCOPE-454
> URL: https://issues.apache.org/jira/browse/SYNCOPE-454
> Project: Syncope
> Issue Type: Bug
> Components: core
> Affects Versions: 1.1.5
> Reporter: fabio martelli
> Assignee: Francesco Chicchiriccò
> Fix For: 1.1.6, 1.2.0
>
>
> Updating an existing user on an external resource with "Generate password if missing" enabled, without requiring password update explicitly, autogenerated password is sent by default.
> Of course, this is a WRONG behavior that can cause unexpected failures.
--
This message was sent by Atlassian JIRA
(v6.1#6144)