This topic has 4 replies, 3 voices, and was last updated 5 years, 10 months ago by pier.

  • Author
    Posts
  • #12993
     opsteam
    Participant

    Hi,

    I am experiencing a strange issue, which lead me to the following question :

    How is openidm handling the password reconciliation in case we do not define any password related object within the sync.json ? (for the systemLdapAccounts_managedUser sync I mean).

    For the other recon definition (managedUser_systemLdapAccounts) I can see the password attribute definition, so I can understand how openidm is able to push any password to the dj server….

    Please find an excerpt of my sync.json :

    {
        "mappings" : [
            {
                "name" : "systemLdapAccounts_managedUser",
                "source" : "system/ldapDev/account",
                "target" : "managed/user",
                "properties" : [
                    {
                        "source" : "cn",
                        "target" : "displayName"
                    },
                    {
                        "source" : "description",
                        "target" : "description"
                    },
                    {
                        "source" : "givenName",
                        "target" : "givenName"
                    },
                    {
                        "source" : "mail",
                        "target" : "mail"
                    },
                    {
                        "source" : "sn",
                        "target" : "sn"
                    },
                    {
                        "source" : "uid",
                        "target" : "userName"
                    }
                ],
                "policies" : [
                    {
                        "situation" : "CONFIRMED",
                        "action" : "UPDATE"
                    },
                    {
                        "situation" : "FOUND",
                        "action" : "UPDATE"
                    },
                    {
                        "situation" : "ABSENT",
                        "action" : "CREATE"
                    },
                    {
                        "situation" : "AMBIGUOUS",
                        "action" : "EXCEPTION"
                    },
                    {
                        "situation" : "MISSING",
                        "action" : "CREATE"
                    },
                    {
                        "situation" : "SOURCE_MISSING",
                        "action" : "DELETE"
                    },
                    {
                        "situation" : "UNQUALIFIED",
                        "action" : "IGNORE"
                    },
                    {
                        "situation" : "UNASSIGNED",
                        "action" : "IGNORE"
                    }
                ],
                "enableSync" : true,
                "recon" : {
                    "_id" : "ecaeb0c3-93ec-4e94-aee1-1eb5e622d78c-1083",
                    "mapping" : "systemLdapAccounts_managedUser",
                    "state" : "SUCCESS",
                    "stage" : "COMPLETED_SUCCESS",
                    "stageDescription" : "reconciliation completed.",
                    "progress" : {
                        "source" : {
                            "existing" : {
                                "processed" : 2,
                                "total" : "2"
                            }
                        },
                        "target" : {
                            "existing" : {
                                "processed" : 0,
                                "total" : "0"
                            },
                            "created" : 0
                        },
                        "links" : {
                            "existing" : {
                                "processed" : 0,
                                "total" : "0"
                            },
                            "created" : 0
                        }
                    },
                    "situationSummary" : {
                        "SOURCE_IGNORED" : 0,
                        "MISSING" : 0,
                        "FOUND" : 0,
                        "AMBIGUOUS" : 0,
                        "UNQUALIFIED" : 0,
                        "CONFIRMED" : 0,
                        "SOURCE_MISSING" : 0,
                        "ABSENT" : 2,
                        "TARGET_IGNORED" : 0,
                        "UNASSIGNED" : 0,
                        "FOUND_ALREADY_LINKED" : 0
                    },
                    "statusSummary" : {
                        "FAILURE" : 2,
                        "SUCCESS" : 0
                    },
                    "parameters" : {
                        "sourceQuery" : {
                            "resourceName" : "system/ldapDev/account",
                            "queryId" : "query-all-ids"
                        },
                        "targetQuery" : {
                            "resourceName" : "managed/user",
                            "queryId" : "query-all-ids"
                        }
                    },
                    "started" : "2016-09-13T12:18:00.002Z",
                    "ended" : "2016-09-13T12:18:00.170Z",
                    "duration" : 168
                }
            },
            {
                "name" : "managedUser_systemLdapAccounts",
                "source" : "managed/user",
                "target" : "system/ldapDev/account",
                "links" : "systemLdapAccounts_managedUser",
                "onCreate" : {
                    "type" : "text/javascript",
                    "globals" : { },
                    "source" : "target.dn = 'uid=' + source.userName + ',,ou=clients,dc=example,dc=com';"
                },
                "properties" : [
                    {
                        "source" : "givenName",
                        "target" : "givenName"
                    },
                    {
                        "source" : "sn",
                        "target" : "sn"
                    },
                    {
                        "source" : "",
                        "transform" : {
                            "type" : "text/javascript",
                            "source" : "source.displayName || (source.givenName + ' ' + source.sn);"
                        },
                        "target" : "cn"
                    },
                    {
                        "source" : "userName",
                        "target" : "uid"
                    },
                    {
                        "source" : "description",
                        "target" : "description",
                        "condition" : {
                            "type" : "text/javascript",
                            "source" : "!!object.description"
                        }
                    },
                    {
                        "source" : "mail",
                        "target" : "mail"
                    },
                    {
                        "source" : "password",
                        "condition" : {
                            "type" : "text/javascript",
                            "source" : "object.password != null"
                        },
                        "transform" : {
                            "type" : "text/javascript",
                            "source" : "openidm.decrypt(source);"
                        },
                        "target" : "userPassword"
                    },
                    {
                        "source" : "telephoneNumber",
                        "target" : "telephoneNumber",
                        "condition" : {
                            "type" : "text/javascript",
                            "source" : "!!object.telephoneNumber"
                        }
                    }
                ],
                "policies" : [
                    {
                        "situation" : "CONFIRMED",
                        "action" : "UPDATE"
                    },
                    {
                        "situation" : "FOUND",
                        "action" : "LINK"
                    },
                    {
                        "situation" : "ABSENT",
                        "action" : "CREATE"
                    },
                    {
                        "situation" : "AMBIGUOUS",
                        "action" : "IGNORE"
                    },
                    {
                        "situation" : "MISSING",
                        "action" : "IGNORE"
                    },
                    {
                        "situation" : "SOURCE_MISSING",
                        "action" : "DELETE"
                    },
                    {
                        "situation" : "UNQUALIFIED",
                        "action" : "IGNORE"
                    },
                    {
                        "situation" : "UNASSIGNED",
                        "action" : "IGNORE"
                    }
                ],
                "enableSync" : true
            }
        ]
    }
    #12994
     Jason Ng
    Participant

    Hello,

    Are you using the Password Synchronization Plugin for OpenDJ?

    https://backstage.forgerock.com/#!/docs/openidm/4.5/integrators-guide#password-sync

    #13001
     opsteam
    Participant

    Thanks Jason,

    Yes I do use the pw sync plugin, it used to work, do you think a bad replication setup (on opendj) might break this (cause I setup a new replication which has problem caused by an address resolution of this new replication server)?

    Do you confirm that I do not need to add any reference to the password attribute within the openidm sync.json file (you can see there is no reference to this attribute in my earlier posted sync.json file)?

    • This reply was modified 5 years, 11 months ago by opsteam.
    #13062
     Jason Ng
    Participant

    Hello,

    There shouldn’t be a need for a mapping of password attribute from DJ to IDM as IDM won’t be able to see the password anyway.

    Typically, the password synchronization plugin updates IDM by doing a HTTP PATCH on the managed user with the changed password. So it shouldn’t refer back on the mapping of password attribute.

    Any errors in DJ and the password sync plugin logs?

    #13157
     pier
    Participant

    I finally understood that my problem was lying within our custom password policy, it was missing the validateOnlyIfPresent function call !

    everything is good now, thanks for the support.

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?