Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-10016

Property Value substitution not working

    XMLWordPrintable

    Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Not a defect
    • OpenIDM 5.5.0
    • None
    • Module - Configuration
    • None

      Description

      Trying to use property value substitution with encrypted or obfuscated values for credential in a provisioner JSON file fails with IDM unable to connect to the resource due to incorrect password.

      Steps to reproduce:

      1) Configure connector to LDAP resource and ensure connectivity from IDM (list accounts)

      2) In the LDAP provisioner JSON, replace the credential entry with:

      "credentials" : "&{openidm.ldap.password}",

      3) Using the IDM utility JAR, encrypt (or obfuscate the password):

      java -jar /opt/openidm/bundle/openidm-util-5.5.0.jar
      This utility helps obfuscate passwords to prevent casual observation.
      It is not securely encrypted and needs further measures to prevent disclosure.
      Please enter the password:
      OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v
      CRYPT:1206319abab995251d745b151b73131c

      4) In boot.properties, create a value for openidm.ldap.password as follows:

      openidm.ldap.password=CRYPT:1206319abab995251d745b151b73131c

      (also tried the obfuscated value, with the same result)

      5) Log into the admin interface select connectors (connector will show an error), and select "Data (account).

      6) UI will display "Unknown error. Please contact the administrator." and the session expired login popup.

      Logs display the following:

      Jan 17, 2018 11:52:54 AM org.forgerock.openidm.servlet.internal.ServletConnectionFactory$3 lambda$handleRequestWithLogging$8
      WARNING: Resource exception: 500 Internal Server Error: "[LDAP: error code 49 - Invalid Credentials]"
      org.forgerock.json.resource.InternalServerErrorException: [LDAP: error code 49 - Invalid Credentials]
       at org.forgerock.openidm.provisioner.impl.SystemObjectSetService.actionInstance(SystemObjectSetService.java:383)
       at org.forgerock.json.resource.InterfaceSingletonHandler.handleAction(InterfaceSingletonHandler.java:26)
       at org.forgerock.json.resource.Router.handleAction(Router.java:250)
       at org.forgerock.json.resource.Router.handleAction(Router.java:250)
       at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:55)

      Even though the password is correct.

        Attachments

          Issue Links

            Activity

              People

              jason Jason Lemay
              bradley.tarisznyas Brad Tarisznyas
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: