Cannot get Must Change Password to sync with ApacheDS pwdReset Attribute

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Cannot get Must Change Password to sync with ApacheDS pwdReset Attribute

justin.isenhour
Hi All,

I am using the Syncope 2.0.3 with ApacheDS 2.0.0-M23 for identity store.  In ApacheDS I have Must Change Password enabled for the password policy.  When a new user is created the pwdReset flag is true.  How can I get Syncope to change the flag to False?  Changing the Must Change Password attribute for the UserTo doesn't impact this, neither does reset the users password.  So far I have found no way to change this flag.  I tried adding a mapping between mustChangePassword and pwdReset with a JEXL transformer to convert Syncope's 0|1 value to ApacheDS's expected true|false.  With this in place when I create a user with must change password as true the provisioning is successful but when I try to create/update a user with value false the sync fails.  ApacheDS complains that I am trying to set more than one value to the pwdReset attribute that only accepts a single value.  Anyone have any thoughts or recommendations?

Thanks,
Justin Isenhour
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Cannot get Must Change Password to sync with ApacheDS pwdReset Attribute

ilgrosso
Administrator
On 01/06/2017 19:40, justin.isenhour wrote:

> Hi All,
>
> I am using the Syncope 2.0.3 with ApacheDS 2.0.0-M23 for identity store.  In
> ApacheDS I have Must Change Password enabled for the password policy.  When
> a new user is created the pwdReset flag is true.  How can I get Syncope to
> change the flag to False?  Changing the Must Change Password attribute for
> the UserTo doesn't impact this, neither does reset the users password.  So
> far I have found no way to change this flag.  I tried adding a mapping
> between mustChangePassword and pwdReset with a JEXL transformer to convert
> Syncope's 0|1 value to ApacheDS's expected true|false.  With this in place
> when I create a user with must change password as true the provisioning is
> successful but when I try to create/update a user with value false the sync
> fails.  ApacheDS complains that I am trying to set more than one value to
> the pwdReset attribute that only accepts a single value.  Anyone have any
> thoughts or recommendations?

Hi Justin,
thanks for your interest in Apache Syncope.

It seems you have come quite far with Syncope LDAP configuration, nice :-)

I am not very familiar with ApacheDS' pwdReset attribute: could you
please point to me in which LDAP ObjectClass is that available? I would
like to replicate your setup.

Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Cannot get Must Change Password to sync with ApacheDS pwdReset Attribute

justin.isenhour
Francesco,

pwdRest is part of the pwdpolicy schema (OID: 1.3.6.1.4.1.42.2.27.8.1.22)
I am creating a user using the inetOrgPerson class.  If you are using Apache Directory Studio to look at the objects this attribute will not show by default, you will need to include optional attributes to get it to show.

Thanks,
Justin
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Cannot get Must Change Password to sync with ApacheDS pwdReset Attribute

ilgrosso
Administrator
Hi,
here's what I did (after creating new Maven project, in embedded mode -
it should be exactly the same with standalone distribution):

1. from Admin Console, I went to Topology > resource-ldap > edit
provision rules
2. added a mapping item to USER / __ACCOUNT__, with
   * 'mustChangePassword' as internal attribute
   * 'pwdReset' as external attribute
   * JEXL transformer 'mustChangePassword == 1'
3. saved

After that, I have created a new user, and assigned 'resource-ldap': the
user got created as expected on the embedded ApacheDS instance (e.g. the
one behind 'resource-ldap' above), with 'pwdReset: false'.

Then, on the user row, I have clicked on the "set must change password"
menu entry: an update was sent to ApacheDS and 'pwdReset' became true.
I clicked again on the same menu entry (which I have now changed to
"toggle must change password"): another update to ApacheDS and
'pwdReset' became false.

Is there anything different that  you were expecting?
Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Cannot get Must Change Password to sync with ApacheDS pwdReset Attribute

justin.isenhour
Francesco,

Thanks for your reply.  I have followed the steps you described but am not getting the same result as you.  If in ApacheDS password policy section I have Allow Must Change flagged then when I try to create a new user the sync with ApacheDS fails, it complains that there are 2 values being set for attribute pwdReset.  If I uncheck Allow Must Change flag then the create/sync is successful, however, after that any attempt I make to toggle Must Change Password on/off does not sync with ApacheDS.  I tried toggling this from the console as well as using the user self Patch API.  In both of these case there is no propagation task being created.  The only propagation task I see is the initial create. (making other updates does initiate a propagation task and LDAP is updated as expected).

Any thoughts as to why changes to Must Change Password are not trigger a propagation task?

Thanks,
Justin
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Cannot get Must Change Password to sync with ApacheDS pwdReset Attribute

ilgrosso
Administrator
On 14/06/2017 19:40, justin.isenhour wrote:

> Francesco,
>
> Thanks for your reply.  I have followed the steps you described but am not
> getting the same result as you.  If in ApacheDS password policy section I
> have Allow Must Change flagged then when I try to create a new user the sync
> with ApacheDS fails, it complains that there are 2 values being set for
> attribute pwdReset.  If I uncheck Allow Must Change flag then the
> create/sync is successful, however, after that any attempt I make to toggle
> Must Change Password on/off does not sync with ApacheDS.  I tried toggling
> this from the console as well as using the user self Patch API.  In both of
> these case there is no propagation task being created.  The only propagation
> task I see is the initial create. (making other updates does initiate a
> propagation task and LDAP is updated as expected).
>
> Any thoughts as to why changes to Must Change Password are not trigger a
> propagation task?

Which Syncope version and distribution are you using?

You might want to download the latest 2.0.4-SNAPSHOT standalone
distribution [1] (instructions [2]) and try to perform the steps
reported previously with the embedded ApacheDS 2.0 M24 (which is exactly
what I did).

Regards.

[1]
https://repository.apache.org/content/groups/snapshots/org/apache/syncope/syncope-standalone/2.0.4-SNAPSHOT/syncope-standalone-2.0.4-20170614.162350-94-distribution.zip
[2] https://ci.apache.org/projects/syncope/getting-started.html#standalone

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Cannot get Must Change Password to sync with ApacheDS pwdReset Attribute

justin.isenhour
I am using Syncope 2.0.3 and am doing a Maven war overly.
Loading...