[email protected]

Home Members [email protected]

Learn more about our upcoming Identity Summits

show less show more
Profile picture of pavel.horal@orchitech.cz

@pavel-horalorchitech-cz

active 4 years ago
Points balance: 128 ♪
Rank: [email protected]
  • Activity
  • Profile
  • Groups 0
  • Forums
  • Personal
  • Mentions
  • Favorites
  • Groups
  • Profile picture of pavel.horal@orchitech.cz

    [email protected] replied to the topic Community Edition in the forum General Discussion 5 years, 4 months ago

    Yeroc is right. This kills community involvement.

  • Profile picture of pavel.horal@orchitech.cz

    [email protected] replied to the topic Error while integrating AD to openIDM using generic LDAP connector in the forum Identity Management 5 years, 6 months ago

    and also added the path of trust store in system.properties

    Add the certificate to $OPENIDM_HOME/security/truststore . Do not try to add different truststore (btw. the truststore location is in boot.properties).

  • Profile picture of pavel.horal@orchitech.cz

    [email protected] replied to the topic Error while integrating AD to openIDM using generic LDAP connector in the forum Identity Management 5 years, 6 months ago

    Giving the configuration second look, “ssl” : false, seems quite suspicious as well. You are connecting to port 636, which should be SSL.

  • Profile picture of pavel.horal@orchitech.cz

    [email protected] replied to the topic Error while integrating AD to openIDM using generic LDAP connector in the forum Identity Management 5 years, 6 months ago

    Looking at the configuration second time, this looks quite suspicious as well – “ssl” : false,. You are connecting to port 636, which should be SSL.

  • Profile picture of pavel.horal@orchitech.cz

    [email protected] replied to the topic Error while integrating AD to openIDM using generic LDAP connector in the forum Identity Management 5 years, 6 months ago

    I think you should login with windows domain name, not the user DN. So change your principal to something like “administrator” or “DOMAINadministrator”.

  • Profile picture of pavel.horal@orchitech.cz

    [email protected] replied to the topic Howto.. best approach in the forum Identity Management 5 years, 8 months ago

    I would go the easiest way, which I think is somewhere in the middle. Having higher level business roles (like junior account manager) is nice, but that additional level of abstraction needs to be managed. So as long as there are not that many roles needed, this is a good approach.

    When you need to be able to assign the lower level application…[Read more]

  • Profile picture of pavel.horal@orchitech.cz

    [email protected] replied to the topic avoiding unnecessary password updates? in the forum Identity Management 5 years, 9 months ago

    One possibility is to use password change timestamp, which is a common attribute in many systems. Then in the mapping you can compare if password in IdM is newer than password in the target system. Of course you need to make sure that the time within your environment is synced.

  • Profile picture of pavel.horal@orchitech.cz

    [email protected] replied to the topic Conditionally sync based on role in the forum Identity Management 6 years, 1 month ago

    > However, I would say that the ‘Assignments’ method is probably a misunderstanding of the Assignments capability

    That is an interesting point of view and I hope that is not how it is. Using assignments as indication whether the user is eligible to have account in the integrated system is in my opinion basic RBAC feature.

  • Profile picture of pavel.horal@orchitech.cz

    [email protected] replied to the topic How to not sync managed object if one of the properties is updated? in the forum Identity Management 6 years, 1 month ago

    You can change that property directly via repository service (/repo/managed/user) so that the managed object service is not picking up on the event. Such call would need to be wrapped in a custom endpoint.

  • Profile picture of pavel.horal@orchitech.cz

    [email protected] replied to the topic Conditionally sync based on role in the forum Identity Management 6 years, 1 month ago

    You can do something similar to this in validSource script:

    require(‘lib/lodash’).some(source.effectiveAssignments || , { mapping: ‘nameOfYourAdMapping’ })

  • Profile picture of pavel.horal@orchitech.cz

    [email protected] replied to the topic Conditionally sync based on role in the forum Identity Management 6 years, 1 month ago

    You can do something similar to this in validSource script:

    `
    require(‘lib/lodash’).some(source.effectiveAssignments || , { mapping: ‘nameOfYourAdMapping’ })
    `

  • Profile picture of pavel.horal@orchitech.cz

    [email protected] replied to the topic Conditionally sync based on role in the forum Identity Management 6 years, 1 month ago

    You can do something similar to this in validSource script:

    require('lib/lodash').some(source.effectiveAssignments || , { mapping: 'nameOfYourAdMapping' })

  • Profile picture of pavel.horal@orchitech.cz

    [email protected] replied to the topic OpenIDM error connecting to AD in the forum Identity Management 6 years, 7 months ago

    Connection reset error can be caused by a lot of things. I would start checking the most simple issues like connectivity, then recheck provisioner configuration

    “host” : “10.0.0.3”,
    “port” : 636,
    “ssl” : true,

    and last, but not least also the used credentials.

  • Profile picture of pavel.horal@orchitech.cz

    [email protected] replied to the topic Push user password to Active Directory in the forum Identity Management 6 years, 7 months ago

    You should use standard password attribute. Do not set up unicodePwd manually. Connector is able to do that for you.

    In provisioner config you should have something similar to this:

    “passwordAttribute” : “unicodePwd”,
    “passwordHashAlgorithm” : “WIN-AD”,

    “password” : {
    “type” : “string”,…[Read more]

  • Profile picture of pavel.horal@orchitech.cz

    [email protected] replied to the topic Push user password to Active Directory in the forum Identity Management 6 years, 7 months ago

    You should use standard password attribute. Do not set up unicodePwd manually. Connector is able to do that for you.

    In provisioner config you should have something similar to this:

    `”passwordAttribute” : “unicodePwd”,
    “passwordHashAlgorithm” : “WIN-AD”,

    “password” : {
    “type” : “string”,…[Read more]

  • Profile picture of pavel.horal@orchitech.cz

    [email protected] replied to the topic Push user password to Active Directory in the forum Identity Management 6 years, 7 months ago

    You should use standard password attribute. Do not set up unicodePwd manually. Connector is able to do that for you.

    In provisioner config you should have something similar to this:
    `
    “passwordAttribute” : “unicodePwd”,
    “passwordHashAlgorithm” : “WIN-AD”,

    “password” : {
    “type” : “string”,…[Read more]

  • Profile picture of pavel.horal@orchitech.cz

    [email protected] replied to the topic Push user password to Active Directory in the forum Identity Management 6 years, 7 months ago

    You should use standard password attribute. Do not set up unicodePwd manually. Connector is able to do that for you.

    In provisioner config you should have something similar to this:

    “passwordAttribute” : “unicodePwd”,
    “passwordHashAlgorithm” : “WIN-AD”,

    “password” : {
    “type” : “string”,…[Read more]

  • Profile picture of pavel.horal@orchitech.cz

    [email protected] replied to the topic Push user password to Active Directory in the forum Identity Management 6 years, 7 months ago

    You should use standard password attribute. Do not set up unicodePwd manually. Connector is able to do that for you.

  • Profile picture of pavel.horal@orchitech.cz

    [email protected] replied to the topic It's official. All of ForgeRock's projects are moving to Git! in the forum General Discussion 6 years, 11 months ago

    Is there any possibility for an outsider to clone / connect to the GIT repository? Will you continue to publish commits to your GitHub?

  • Profile picture of pavel.horal@orchitech.cz

    [email protected] replied to the topic Broken UPDATE synchronization in 3.2.0 master in the forum Identity Management 7 years ago

    Thank you for the information.

  • Load More
Profile Photo Darinder Singh Shokar Profile Photo platanoid

Search the forums

Leaderboard

The leaderboard is based on our rockin' informal points system, read about it here.

Recent blog posts

  • Using an Authentication Tree Stage to Build a Custom UI with the ForgeRock JavaScript SDK February 26, 2020
  • Identity Workflow with AM using Zeebe and Cloud Functions February 19, 2020
  • IDM: Zero Downtime Upgrade Strategy Using a Blue/Green Deployment January 23, 2020
  • DS: Zero Downtime Upgrade Strategy Using a Blue/Green Deployment January 22, 2020
  • AM and IG: Zero Downtime Upgrade Strategy Using a Blue/Green Deployment January 22, 2020
Visit our blog

Recent Topics

  • Handle exception in Node Patch Object
  • SP Initiated SSO – Unable to do sso or federation
  • Realm level access
  • How can I generate 32 bytes Random salt in js script
  • Bypass Login Page in Chain

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

  • Blog
  • Documentation
    • OpenAM / Access Management
    • OpenDJ / Directory Services
    • OpenIDM / Identity Management
    • OpenIG / Identity Gateway
    • OpenICF / Open Connector Framework
    • Intro to Identity
  • Forums
    • General Discussion
    • ForgeRock Products
      • OpenAM
      • OpenIDM
      • OpenDJ
      • OpenIG
      • OpenUMA
    • DevOps
    • Internet of Things
    • Documentation
    • Groups
  • Twitter
  • Facebook
  • Linkedin
  • Youtube

Log in with your credentials

Lost your password?

Forgot your details?

I remember my details