This topic has 0 replies, 1 voice, and was last updated 2 years, 3 months ago by [email protected].
-
AuthorPosts
-
February 19, 2020 at 1:58 pm #27665
[email protected]
ParticipantI am migrating from IDM 2.1.1 to IDM 6.0.5.2.
In the 2.1.1 version existing Managed User is stored in an Oracle DB, and synced with a system LDAP resource.
Oracle stores the user password with IDM reversible encryption, while LDAP stores the same data using a one-way hash.
The user has attributes is stored in Oracle using the managedobjects json field, in this field the user password is stored using reversible encryption, the same field is stored in LDAP using PKCS5S2 which is a one-way hash not natively supported by IDM as far as I know. It’s natively supported by OpenDJ.
I have setup the new IDM 6.0.5.2 Managed User store using MySQL, and it’s syncing with the same LDAP system resource as the old IDM 2.1.1. Right now it gets the hashed field as it should, but since the PKCS5S2 hashing algorithm isn’t supported by IDM it doesn’t work when authenticating users.
What I would like to do during the sync is have the attribute use the openidm.decrypt function, but call the Old Oracle DB for this one attribute since the same attribute is stored there in a reversible encryption format. I have exported the private key used to encrypt this field from the old IDM 2.1.1 instance and imported it into the new IDM 6.0.5.2 instance. I just need to have my java script make that call for that one attribute to Oracle and not LDAP.
Is this possible? Is there another way to accomplish this that might be better?
The following section describes how to called managed user end-points.
https://backstage.forgerock.com/docs/openidm/4.5/integrators-guide/#data-scriptsCan I have a sync.conf section for New MySQL and Existing LDAP use a third resource?
Something like the following
userpass_manageduser = openidm.read(“managed/organization/accounts”)
userpass_ldap = openidm.read(“system/ldap/accounts”)
userpass_oldoracle_manageduser = openidm.read(“system/oldoracle/accounts”)Thanks
Zach -
AuthorPosts
You must be logged in to reply to this topic.