You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by Henri44 <hh...@sysconsult.de> on 2020/09/27 20:44:14 UTC
Apples OpenDirectory
Hi,
any way to attach Apples OD? The Ldap Connector works so far well, but the
password is not stored in the LDAP schema. So the pull function get's an
"org.apache.syncope.core.persistence.api.attrvalue.validation.InvalidEntityException:
User [InvalidPassword]".
To retrieve the password, the key of the password server is stored in
"authAuthority" and to get the hash a "mkpassdb -dump id" from root is
necessary. For sure, a Kerberos solution would be better, or even not to
retrieve the password, just the prompte a new one.
Thanks
Henri
P.S. Unfortunately the AD connector does not work.
--
Sent from: http://syncope-user.1051894.n5.nabble.com/
Re: Apples OpenDirectory
Posted by Henri44 <hh...@sysconsult.de>.
Hi Francesco,
thanks a lot, I added the JAVA_OPTS truststore option to ./bin/setenv.sh, it
works now.
Have now some difficulties with the user/group assignment from AD and
OpenDirectory.
13:43:48.675 DEBUG
org.apache.syncope.core.provisioning.java.pushpull.LDAPMembershipPullActions
- Object for 'diradmin' not found
Thank you very much in advance, as always
Henri
13:43:48.608 DEBUG
org.apache.syncope.core.provisioning.api.propagation.PropagationManager -
With virtual attributes JPAUser[32f1543b-e0e9-45fb-b154-3be0e945fb0f]:
To be Created: [];
To be Updated: [];
To be Deleted: [];
Old connObjectKeys: {}
{}
13:43:48.613 DEBUG
org.apache.syncope.core.provisioning.api.propagation.PropagationTaskExecutor
- Propagation tasks sorted by priority, for serial execution: []
13:43:48.613 DEBUG
org.apache.syncope.core.provisioning.api.propagation.PropagationTaskExecutor
- Propagation tasks for concurrent execution: []
13:43:48.675 DEBUG
org.apache.syncope.core.provisioning.java.pushpull.LDAPMembershipPullActions
- Object for 'diradmin' not found
13:43:48.675 DEBUG
org.apache.syncope.core.provisioning.api.pushpull.SyncopeResultHandler -
USER PullMatch{matchTarget=ANY,
any=JPAUser[32f1543b-e0e9-45fb-b154-3be0e945fb0f], linkedAccount=null}
successfully updated
13:43:48.676 DEBUG
org.apache.syncope.core.provisioning.api.notification.NotificationManager -
Search notification for
[JPAAnyType[USER]]JPAUser[32f1543b-e0e9-45fb-b154-3be0e945fb0f]
13:43:48.681 DEBUG
org.apache.syncope.core.provisioning.api.notification.NotificationManager -
No events found about JPAUser[32f1543b-e0e9-45fb-b154-3be0e945fb0f]
13:43:48.681 DEBUG
org.apache.syncope.core.provisioning.api.notification.NotificationManager -
Notification about JPAAnyType[USER] defined: token!=$null
13:43:48.681 DEBUG
org.apache.syncope.core.provisioning.api.notification.NotificationManager -
No events found about JPAUser[32f1543b-e0e9-45fb-b154-3be0e945fb0f]
13:43:48.735 DEBUG
org.apache.syncope.core.provisioning.api.pushpull.SyncopeResultHandler -
Successfully handled {Uid=Attribute: {Name=__UID__, Value=[diradmin]},
ObjectClass=ObjectClass: __ACCOUNT__, DeltaType=CREATE_OR_UPDATE,
Token=SyncToken: , Object={Uid=Attribute: {Name=__UID__, Value=[diradmin]},
ObjectClass=ObjectClass: __ACCOUNT__, Attributes=[Attribute:
{Name=__PASSWORD__,
Value=[org.identityconnectors.common.security.GuardedString@204e249b]},
Attribute: {Name=cn, Value=[Directory Administrator]}, Attribute:
{Name=__UID__, Value=[diradmin]}, Attribute: {Name=__ENABLE__, Value=[]},
Attribute: {Name=gidNumber, Value=[20]}, Attribute: {Name=jpegPhoto,
Value=[[B@735cca7f]}, Attribute: {Name=uid, Value=[diradmin]}, Attribute:
{Name=loginShell, Value=[/bin/tcsh]}, Attribute: {Name=mail, Value=[]},
Attribute: {Name=apple-user-homequota, Value=[]}, Attribute: {Name=__NAME__,
Value=[uid=diradmin,cn=users,dc=macp,dc=de]}, Attribute: {Name=sn,
Value=[Administrator]}, Attribute: {Name=uidNumber, Value=[1000]},
Attribute: {Name=givenName, Value=[Directory]}], Name=Attribute:
{Name=__NAME__, Value=[uid=diradmin,cn=users,dc=macp,dc=de]}},
PreviousUid=null}
--
Sent from: http://syncope-user.1051894.n5.nabble.com/
Re: Apples OpenDirectory
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 30/09/20 11:16, Henri44 wrote:
> Sorry, the LDAPS question is still open, I misclicked somewhat...
To solve this you should simply import the LDAPS certificate (or the CA certificate that signed the LDAPS certificate) into the configured trust store for Tomcat, or even into JDK's cacerts.
HTH
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Re: Apples OpenDirectory
Posted by Henri44 <hh...@sysconsult.de>.
Sorry, the LDAPS question is still open, I misclicked somewhat...
Thanks
Henri
--
Sent from: http://syncope-user.1051894.n5.nabble.com/
Re: Apples OpenDirectory
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 30/09/20 09:43, Henri44 wrote:
> Hi Francesco,
>
> I fix it in the meantime, thanks, will now try the password stuff.
Glad to hear this!
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Re: Apples OpenDirectory
Posted by Henri44 <hh...@sysconsult.de>.
Hi Francesco,
I fix it in the meantime, thanks, will now try the password stuff.
Henri
--
Sent from: http://syncope-user.1051894.n5.nabble.com/
Re: Apples OpenDirectory
Posted by Henri44 <hh...@sysconsult.de>.
Hi Francesco,
thanks a lot for your reply. I could fix this issue at the moment by
accepting "null" passwords in the policy. Next question, sorry for that. I
trusted the LDAP SSL certificate of the server and our CA in Tomcat, which
works fine, how to trust the "trustcacerts" for the LDAP SSL connection?
Thanks
Henri
<SSLHostConfig>
<Certificate certificateKeyFile="conf/iam.key"
certificateFile="conf/iam.crt"
certificateChainFile="conf/trustcacerts"
type="RSA" />
</SSLHostConfig>
Btw. some words to OD, all physical devices here are Apple units, the
servers are running VMware 6.7/7.0, with MACOS server and Terminal server (a
Macpro 7,1 Rack mounted), a lot of Linuxes (Ubuntu, Debian, CentOS, RHEL)
and 3 Win2016 VMs (which host almost only very unimportant stuff, exception
is Veeam). So we had never the need for an AD and don't use it (and I don't
like/trust MS - even before CVE-2020-1472). So to add AD functionality, I
installed Univentions AD (which is an synced SAMBA4 AD with Openldap). So
the simplest way ist to support both is add Syncope to bring both world in
snyc. Then we can fix the remaining 10%, which are not OD compatible.
--
Sent from: http://syncope-user.1051894.n5.nabble.com/
Re: Apples OpenDirectory
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 27/09/20 22:44, Henri44 wrote:
> Hi,
>
> any way to attach Apples OD? The Ldap Connector works so far well, but the
> password is not stored in the LDAP schema. So the pull function get's an
> "org.apache.syncope.core.persistence.api.attrvalue.validation.InvalidEntityException:
> User [InvalidPassword]".
> To retrieve the password, the key of the password server is stored in
> "authAuthority" and to get the hash a "mkpassdb -dump id" from root is
> necessary. For sure, a Kerberos solution would be better, or even not to
> retrieve the password, just the prompte a new one.
>
> Thanks
>
> Henri
>
> P.S. Unfortunately the AD connector does not work.
Hi Henry,
honestly, this is the very first time I hear someone attempting to integrate Syncope with Apple OD; nevertheless, I've just learned that it is "built around OpenLDAP" [1] and this explains quite well how you could successfully setup the ConnId LDAP connector for it, not the AD connector.
About password retrieval, I think you could give a sping to the OTB LDAPPasswordPullActions. In case this does not work, according to what you write above, it seems you will either need to inject some custom logic into the pull process [2] or to built a whole different strategy around Kerberos.
HTH
Regards.
[1] https://images.apple.com/server/docs/Open_Directory_TB_v10.4.pdf
[2] http://syncope.apache.org/docs/2.1/reference-guide.html#pullactions
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/