Password not propagated when changed via enduser UI

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Password not propagated when changed via enduser UI

Böhmer, Martin

Hi,

 

I have setup an LDAP connector and LDAP resource that successfully propagates changes to users and groups when changes are performed via the console UI. So, I am able to consistently create, update and delete users and groups in Syncope and LDAP. When I set/change a user’s password via the console UI, it gets propagated to LDAP as expected by an UPDATE propagation task.

 

However, when I log into the enduser interface and change the password, it gets updated in Syncopes internal database, but not in LDAP. Inspecting the propagation tasks afterwards reveals that the change in the enduser UI has created a DELETE action for some strange reason.

 

As mentioned in the reference guide and earlier posts, I already made sure Syncope’s property ‘password.cipher.algorithm’ is set to the same algorithm as specified in the LDAP connector. Both are set to ‘SSHA’. Console log and core log do not show any errors.

 

What I am doing wrong? What configuration may be wrong or missing?

I would greatly appreciate any hints on what configuration is required to propagate the password change from the enduser interface to LDAP! My LDAP server is OpenLDAP on Ubuntu 16.04 LTS.

 

Best regards,

 

Martin

 

PS: The result of the password not being propagated is that I am now able to log into the enduser interface using both the password stored in Syncopes internal DB and the (old) password still present in LDAP…

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Password not propagated when changed via enduser UI

ilgrosso
Administrator
Hi Martin,
welcome to Apache Syncope.

Which version / distribution are you running?

See my replies embedded below.

Regards.

On 25/06/2017 18:48, Böhmer, Martin wrote:

Hi,

 

I have setup an LDAP connector and LDAP resource that successfully propagates changes to users and groups when changes are performed via the console UI. So, I am able to consistently create, update and delete users and groups in Syncope and LDAP. When I set/change a user’s password via the console UI, it gets propagated to LDAP as expected by an UPDATE propagation task.

 

However, when I log into the enduser interface and change the password, it gets updated in Syncopes internal database, but not in LDAP. Inspecting the propagation tasks afterwards reveals that the change in the enduser UI has created a DELETE action for some strange reason.


I have replicated your case with 2.0.4-SNAPSHOT (by using the sample ApacheDS LDAP resource available) and opened

https://issues.apache.org/jira/browse/SYNCOPE-1125

As mentioned in the reference guide and earlier posts, I already made sure Syncope’s property ‘password.cipher.algorithm’ is set to the same algorithm as specified in the LDAP connector. Both are set to ‘SSHA’. Console log and core log do not show any errors.


Aligning the cipher algorithms is only needed when pulling or pushing password values as binary objects, and this only occurs during pull or push task execution.

Setting password via Admin Console or Enduser UI instead does not require such alignment, as the cleartext value is passed along with the REST invocation.

What I am doing wrong? What configuration may be wrong or missing?

I would greatly appreciate any hints on what configuration is required to propagate the password change from the enduser interface to LDAP! My LDAP server is OpenLDAP on Ubuntu 16.04 LTS.

 

Best regards,

 

Martin

 

PS: The result of the password not being propagated is that I am now able to log into the enduser interface using both the password stored in Syncopes internal DB and the (old) password still present in LDAP…


This is not possible unless you have defined an Account Policy [1] with LDAP for pass-through authentication [2].

[1] https://syncope.apache.org/docs/reference-guide.html#policies-account
[2] https://syncope.apache.org/docs/reference-guide.html#pass-through-authentication
-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

AW: Password not propagated when changed via enduser UI

Böhmer, Martin

Hi Francesco,

 

Thanks for you quick reply. You remarks were very helpful to better understand Syncope.

 

I am running the 2.0.3 release of the Syncope Debian distribution. OpenLDAP version is 2.4.42+dfsg-2ubuntu3.

 

Can you estimate when release 2.0.4 will be available? There was no date set in JIRA.

 

Best regards,

 

Martin

 

Von: Francesco Chicchiriccò [mailto:[hidden email]]
Gesendet: Montag, 26. Juni 2017 17:42
An: [hidden email]
Betreff: Re: Password not propagated when changed via enduser UI

 

Hi Martin,
welcome to Apache Syncope.

Which version / distribution are you running?

See my replies embedded below.

Regards.

On 25/06/2017 18:48, Böhmer, Martin wrote:

Hi,

 

I have setup an LDAP connector and LDAP resource that successfully propagates changes to users and groups when changes are performed via the console UI. So, I am able to consistently create, update and delete users and groups in Syncope and LDAP. When I set/change a user’s password via the console UI, it gets propagated to LDAP as expected by an UPDATE propagation task.

 

However, when I log into the enduser interface and change the password, it gets updated in Syncopes internal database, but not in LDAP. Inspecting the propagation tasks afterwards reveals that the change in the enduser UI has created a DELETE action for some strange reason.


I have replicated your case with 2.0.4-SNAPSHOT (by using the sample ApacheDS LDAP resource available) and opened

https://issues.apache.org/jira/browse/SYNCOPE-1125


As mentioned in the reference guide and earlier posts, I already made sure Syncope’s property ‘password.cipher.algorithm’ is set to the same algorithm as specified in the LDAP connector. Both are set to ‘SSHA’. Console log and core log do not show any errors.


Aligning the cipher algorithms is only needed when pulling or pushing password values as binary objects, and this only occurs during pull or push task execution.

Setting password via Admin Console or Enduser UI instead does not require such alignment, as the cleartext value is passed along with the REST invocation.


What I am doing wrong? What configuration may be wrong or missing?

I would greatly appreciate any hints on what configuration is required to propagate the password change from the enduser interface to LDAP! My LDAP server is OpenLDAP on Ubuntu 16.04 LTS.

 

Best regards,

 

Martin

 

PS: The result of the password not being propagated is that I am now able to log into the enduser interface using both the password stored in Syncopes internal DB and the (old) password still present in LDAP…


This is not possible unless you have defined an Account Policy [1] with LDAP for pass-through authentication [2].

[1] https://syncope.apache.org/docs/reference-guide.html#policies-account
[2] https://syncope.apache.org/docs/reference-guide.html#pass-through-authentication

-- 
Francesco Chicchiriccò
 
Tirasa - Open Source Excellence
http://www.tirasa.net/
 
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: AW: Password not propagated when changed via enduser UI

ilgrosso
Administrator
On 27/06/2017 09:19, Böhmer, Martin wrote:

Hi Francesco,

 

Thanks for you quick reply. You remarks were very helpful to better understand Syncope.


Glad to hear that :-)

I am running the 2.0.3 release of the Syncope Debian distribution. OpenLDAP version is 2.4.42+dfsg-2ubuntu3.

 

Can you estimate when release 2.0.4 will be available? There was no date set in JIRA. 


Syncope 2.0.4 is already full of fixes, improvements and new features:

https://issues.apache.org/jira/projects/SYNCOPE/versions/12340328

Still a few are standing (mainly bugfixes, others can be moved to 2.0.5); moreover, CXF 3.1.12 (which we use as foundation of Syncope REST layer, and more) in currently under vote.

Given such elements, I would estimate next release 2.0.4 to be available in 2-3 weeks time.

Regards.

Von: Francesco Chicchiriccò [[hidden email]]
Gesendet: Montag, 26. Juni 2017 17:42
An: [hidden email]
Betreff: Re: Password not propagated when changed via enduser UI

 

Hi Martin,
welcome to Apache Syncope.

Which version / distribution are you running?

See my replies embedded below.

Regards.

On 25/06/2017 18:48, Böhmer, Martin wrote:

Hi,

 

I have setup an LDAP connector and LDAP resource that successfully propagates changes to users and groups when changes are performed via the console UI. So, I am able to consistently create, update and delete users and groups in Syncope and LDAP. When I set/change a user’s password via the console UI, it gets propagated to LDAP as expected by an UPDATE propagation task.

 

However, when I log into the enduser interface and change the password, it gets updated in Syncopes internal database, but not in LDAP. Inspecting the propagation tasks afterwards reveals that the change in the enduser UI has created a DELETE action for some strange reason.


I have replicated your case with 2.0.4-SNAPSHOT (by using the sample ApacheDS LDAP resource available) and opened

https://issues.apache.org/jira/browse/SYNCOPE-1125


As mentioned in the reference guide and earlier posts, I already made sure Syncope’s property ‘password.cipher.algorithm’ is set to the same algorithm as specified in the LDAP connector. Both are set to ‘SSHA’. Console log and core log do not show any errors.


Aligning the cipher algorithms is only needed when pulling or pushing password values as binary objects, and this only occurs during pull or push task execution.

Setting password via Admin Console or Enduser UI instead does not require such alignment, as the cleartext value is passed along with the REST invocation.


What I am doing wrong? What configuration may be wrong or missing?

I would greatly appreciate any hints on what configuration is required to propagate the password change from the enduser interface to LDAP! My LDAP server is OpenLDAP on Ubuntu 16.04 LTS.

 

Best regards,

 

Martin

 

PS: The result of the password not being propagated is that I am now able to log into the enduser interface using both the password stored in Syncopes internal DB and the (old) password still present in LDAP…


This is not possible unless you have defined an Account Policy [1] with LDAP for pass-through authentication [2].

[1] https://syncope.apache.org/docs/reference-guide.html#policies-account
[2] https://syncope.apache.org/docs/reference-guide.html#pass-through-authentication

-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: AW: Password not propagated when changed via enduser UI

ilgrosso
Administrator
Hi Martin,
FYI SYNCOPE-1125 [1] is now resolved.

Regards.

[1] https://issues.apache.org/jira/browse/SYNCOPE-1125
Loading...