You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@syncope.apache.org by dm...@gmail.com, dm...@gmail.com on 2019/01/30 11:19:01 UTC

changePwdDate and passwordNeverExpires fields issue

Hi guys.
We're using Apache Syncope 2.0.12.

Currently, we're starting to implement customization in Syncope Core to enforce the already created users to change their passwords if password lifetime expired. The password lifetime is a domain-specific value in our case. And we're planning to store it in our custom implementation of @org.apache.syncope.common.lib.policy.AbstractPasswordRuleConf@

The plan is to implement Password Expiry Scheduled Task by analogy as mentioned here https://cwiki.apache.org/confluence/display/SYNCOPE/Configure+a+PasswordExpirationJob. What we want to achieve is to propagate the @mustChangePassword@ field in AD as well, but first, we need to find all the users, whose password should be updated, correctly. In the example above you provided the following query "SELECT id FROM SyncopeUser WHERE changePwdDate < ?1".

What we noticed is that @changePwdDate@ field is not initialized when we create a new user with the specified password in Apache Syncope. What is the purpose of why the logic is implemented in such a way?
Currently, @changePwdDate@ field is updated only when UserTO object is updated.
Can we also init changePwdDate when we create a user and specify the password by adding this line? https://github.com/apache/syncope/blob/d3b81598d63a04132e271fbc75a964aa48f39e7f/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/UserDataBinderImpl.java#L171
```java
user.setChangePwdDate(new Date());
```

Also AD supports the "passwordNeverExpires" flag. For this purpose we would like to add a new "passwordNeverExpires" field in org.apache.syncope.core.persistence.jpa.entity.user.JPAUser model.
We want to have this field to exclude users which have "passwordNeverExpires" set to @true@ in Password Expiry Scheduled Task. Do you see any sense to have this field in the code of Apache Syncope as well (as a part of JPAUser entity and then as a part of UserTO object)? Can this field be applied to other types of net.tirasa.connid connectors?

Kind Regards,
Dmitriy Brashevets

Re: changePwdDate and passwordNeverExpires fields issue

Posted by Francesco Chicchiriccò <il...@apache.org>.

Hi,
I have seen you opened

https://github.com/apache/syncope/pull/95

for the changes discussed below; see my replies inline.

Regards.

On 2019-01-30 12:19 dmitriybrashevets@gmail.com wrote:
> Hi guys.
> We're using Apache Syncope 2.0.12.
> 
> Currently, we're starting to implement customization in Syncope Core
> to enforce the already created users to change their passwords if
> password lifetime expired. The password lifetime is a domain-specific
> value in our case. And we're planning to store it in our custom
> implementation of
> @org.apache.syncope.common.lib.policy.AbstractPasswordRuleConf@
> 
> The plan is to implement Password Expiry Scheduled Task by analogy as
> mentioned here
> https://cwiki.apache.org/confluence/display/SYNCOPE/Configure+a+PasswordExpirationJob.
> What we want to achieve is to propagate the @mustChangePassword@ field
> in AD as well, but first, we need to find all the users, whose
> password should be updated, correctly. In the example above you
> provided the following query "SELECT id FROM SyncopeUser WHERE
> changePwdDate < ?1".
> 
> What we noticed is that @changePwdDate@ field is not initialized when
> we create a new user with the specified password in Apache Syncope.
> What is the purpose of why the logic is implemented in such a way?
> Currently, @changePwdDate@ field is updated only when UserTO object is 
> updated.

changePwdDate is set only when... password is changed, e.g. with user or 
password-only update.

> Can we also init changePwdDate when we create a user and specify the
> password by adding this line?
> https://github.com/apache/syncope/blob/d3b81598d63a04132e271fbc75a964aa48f39e7f/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/UserDataBinderImpl.java#L171
> ```java
> 	user.setChangePwdDate(new Date());
> ```

I don't see issues with such change, please open an issue on JIRA then 
create a PR on github with a commit message mentioning such issue.

> Also AD supports the "passwordNeverExpires" flag. For this purpose we
> would like to add a new "passwordNeverExpires" field in
> org.apache.syncope.core.persistence.jpa.entity.user.JPAUser model.
> We want to have this field to exclude users which have
> "passwordNeverExpires" set to @true@ in Password Expiry Scheduled
> Task. Do you see any sense to have this field in the code of Apache
> Syncope as well (as a part of JPAUser entity and then as a part of
> UserTO object)? Can this field be applied to other types of
> net.tirasa.connid connectors?

There are several good reason not to extend the fields of the 
SyncopeUser entity, one of these being to avoid changing the database 
schema across minor releases.

I'd suggest instead to define a boolean Plain Schema with same purpose, 
on your own deployment.
-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/