You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@syncope.apache.org by "Francesco Chicchiriccò (JIRA)" <ji...@apache.org> on 2014/06/06 18:12:02 UTC
[jira] [Comment Edited] (SYNCOPE-313) Support synchronizing
non-cleartext passwords from external resources
[ https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14019973#comment-14019973 ]
Francesco Chicchiriccò edited comment on SYNCOPE-313 at 6/6/14 4:11 PM:
------------------------------------------------------------------------
I was more thinking that a possible way to implement this feature was to provide specific synchronization actions for relevant connectors (say LDAP and DBTable) so that the technology-specific handling could have been coded in there.
The {{LDAPPasswordSynchronizationAction}} could parse the password value from connector (say "{SSHA}jkdsfjlksdjfklsdjfkjsdflsdjkfdslfsdkjfk"), check that {{SSHA}} is supported by Syncope and then directly set the encoded value into {{SyncopeUser}} (this is currently not possible).
The {{DBPasswordSynchronizationAction}} could look at the connector configuration (the "Password cipher algorithm" parameter - see https://connid.atlassian.net/wiki/display/BASE/Database+Table) and then directly set the encoded value into {{SyncopeUser}} (this is currently not possible).
WDYT?
was (Author: ilgrosso):
I was more thinking that a possible way to implement this feature was to provide specific synchronization actions for relevant connectors (say LDAP and DBTable) so that the technology-specific handling could have been coded in there.
The {{LDAPPasswordSynchronizationAction}} could parse the password value from connector (say {{"{SSHA}jkdsfjlksdjfklsdjfkjsdflsdjkfdslfsdkjfk"}}), check that {{SSHA}} is supported by Syncope and then directly set the encoded value into {{SyncopeUser}} (this is currently not possible).
The {{DBPasswordSynchronizationAction}} could look at the connector configuration (the "Password cipher algorithm" parameter - see https://connid.atlassian.net/wiki/display/BASE/Database+Table) and then directly set the encoded value into {{SyncopeUser}} (this is currently not possible).
WDYT?
> Support synchronizing non-cleartext passwords from external resources
> ---------------------------------------------------------------------
>
> Key: SYNCOPE-313
> URL: https://issues.apache.org/jira/browse/SYNCOPE-313
> Project: Syncope
> Issue Type: Improvement
> Reporter: Colm O hEigeartaigh
> Assignee: Colm O hEigeartaigh
> Fix For: 1.2.0
>
>
> Currently we can synchronize cleartext passwords from external resources. However, we can't handle non-cleartext passwords, as they get treated as if they are plaintext passwords when imported into Syncope, and hence hashed again according to user.cipherAlgorithm().
> This task is to treat an imported password as hashed according to a give cipher algorithm configured on the connector (for example via 'Password Cipher Algorithm' for the DB Connector).
> This is specific to each individual connector, as for example for the DB Connector, it might just be a hashed value stored in a table, whereas for LDAP it'll be of the form "CIPHER}VALUE" etc.
> Note that we we cannot refer to any specific connector bundle from inside the SyncopeSyncResultHandler, hence we should find the cleanest place to encapsulate the following logic:
> if (password.isClearText()) {
> // do as currently done
> } else {
> if (connector.isLDAP()) {
> // extract cipher and value
> } else if (connector.isDBTable()) {
> // treat value as ciphered with the cipher defined in connector configuration
> } else {
> ...
> }
> }
--
This message was sent by Atlassian JIRA
(v6.2#6252)