Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-12158

Synchronization via AD password sync plugin mutual SSL doesn't work

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Not a defect
    • 6.5.0
    • 6.5.0
    • None
    • OpenIDM Password Sync Service Version: 1.3.0 Revision: f866a9a,
      OpenIDM 6.5.0-M8 (c2fae94)
      OpenDJ 6.5.0-RC6 (08ef56802eb)

    Description

      Synchronization with AD password sync plugin doesn't work for mutual SSL. Authorization return 401 code status. Response look like

      response: {"code":401,"reason":"Unauthorized","message":"Access Denied","detail":{"failureReasons":[{"code":401,"reason":"Unauthorized","message":"Access denied, managed/user entry is not found"}]}}

      This I found at AD_pwd_plugin/idm.log file.

      Steps to reproduce:

      1. Easy way to config IDM, plugin and etc. is over automation test. There commented custom suite and test teardown at automation tests (`remove_user_reset_password` and `custom_suite_teardown` at robot files ~password_plugins/ad/part1/_init_.robot and synchronization_plugin_mutual_SSL.robot) then run
        run-pybot.py -s password_plugin*.ad.part1.synchronization_plugin_mutual_ssl* -t common_password -n OPENIDM
      2. Send PUT request with changed passwords
        curl -X PUT \
          http://localhost:8080/openidm/managed/user/4fa8a6ab-633f-491b-bcb6-425525633be5 \
          -H 'content-type: application/json' \
          -H 'if-match: *' \
          -H 'x-openidm-password: openidm-admin' \
          -H 'x-openidm-username: openidm-admin' \
          -d '{"password": "", "password2": "Password12", "uid": "initUser", "userName":"initUser", "sn":"initUser", "email": "init@user.com", "givenName": "initUser", "familyName": "initUser", "phoneNumber": "123456789"}' 
        
        
            "_id": "4fa8a6ab-633f-491b-bcb6-425525633be5",
            "_rev": "000000004f2c0e4a",
            "password": {
                "$crypto": {
                    "type": "x-simple-encryption",
                    "value": {
                        "cipher": "AES/CBC/PKCS5Padding",
                        "stableId": "openidm-sym-default",
                        "salt": "RxZT+Xa6o5KdtoH9tpQCMw==",
                        "data": "X91sOJXIz7hehFBc9GYjOQ==",
                        "keySize": 16,
                        "purpose": "idm.password.encryption",
                        "iv": "3T//WT3YgdCu2/yTyId/SQ==",
                        "mac": "OrMtbhMVXJs8srV/ui4cLQ=="
                    }
                }
            },
            "password2": "Password12",
            "uid": "initUser",
            "userName": "initUser",
            "sn": "initUser",
            "email": "init@user.com",
            "givenName": "initUser",
            "familyName": "initUser",
            "phoneNumber": "123456789",
            "effectiveRoles": [],
            "effectiveAssignments": []
        }
      3. Send GET request
        curl -X GET \
          http://localhost:8080/openidm/managed/user/4fa8a6ab-633f-491b-bcb6-425525633be5 \
          -H 'x-openidm-password: openidm-admin' \
          -H 'x-openidm-username: openidm-admin'
        
        {
            "_id": "4fa8a6ab-633f-491b-bcb6-425525633be5",
            "_rev": "000000004f2c0e4a",
            "password": {
                "$crypto": {
                    "type": "x-simple-encryption",
                    "value": {
                        "cipher": "AES/CBC/PKCS5Padding",
                        "stableId": "openidm-sym-default",
                        "salt": "RxZT+Xa6o5KdtoH9tpQCMw==",
                        "data": "X91sOJXIz7hehFBc9GYjOQ==",
                        "keySize": 16,
                        "purpose": "idm.password.encryption",
                        "iv": "3T//WT3YgdCu2/yTyId/SQ==",
                        "mac": "OrMtbhMVXJs8srV/ui4cLQ=="
                    }
                }
            },
            "password2": "Password12",
            "uid": "initUser",
            "userName": "initUser",
            "sn": "initUser",
            "email": "init@user.com",
            "givenName": "initUser",
            "familyName": "initUser",
            "phoneNumber": "123456789",
            "effectiveRoles": [],
            "effectiveAssignments": [],
            "samePassword": "false",
            "Decrypted": ""
        }
      4. Open windows terminal and run this command
        net user initUser "Password12"
        • Console displayed "The command completed successfully."
      5. Send again above GET requests

      Actual result: Response was same without chagnes and "samePassword" was still "false". IDM log file didn't contain error/exception/warning, however log file ~AD_pwd_plugin/idm.log contained

      OpenIDM Self-Signed Certificate
      openidm-localhost
      2018-11-16 12:38:23.519 +0000    DEBUG send_idm_request() KeySize: 256
      2018-11-16 12:38:23.520 +0000    DEBUG send_idm_request() status: 401, response: {"code":401,"reason":"Unauthorized","message":"Access Denied","detail":{"failureReasons":[{"code":401,"reason":"Unauthorized","message":"Access denied, managed/user entry is not found"}]}}
      2018-11-16 12:38:23.520 +0000    ERROR do_remote_dispatch(): change request for user "initUser" failed, network status: 401, response: {"code":401,"reason":"Unauthorized","message":"Access Denied","detail":{"failureReasons":[{"code":401,"reason":"Unauthorized","message":"Access denied, managed/user entry is not found"}]}}
      2018-11-16 12:38:28.431 +0000  WARNING file_worker(): userAttribute registry key not set, using default ${samaccountname}
      2018-11-16 12:38:28.431 +0000    DEBUG file_worker(): idmURL set to "https://localhost:8444/openidm/managed/user?_action=patch&_queryId=for-userName&uid=%s"
      2018-11-16 12:38:28.431 +0000    DEBUG file_worker(): processing C:/jenkins/installs/AD_pwd_plugin/data/, 1 file(s)
      2018-11-16 12:38:28.431 +0000    DEBUG file_worker(): reading file C:/jenkins/installs/AD_pwd_plugin/data/\B18BCD76D79E96F482D622D2ED29EA3C-20181116123807432.json
      2018-11-16 12:38:28.431 +0000    DEBUG ssl_verify_peer(): netSslVerifyPeer is set to false
      2018-11-16 12:38:28.431 +0000    DEBUG send_idm_request() sending request to https://localhost:8444/openidm/managed/user?_action=patch&_queryId=for-userName&uid=initUser
      2018-11-16 12:38:28.431 +0000    DEBUG SetAuthMethod() authType set to "cert"
      2018-11-16 12:38:28.442 +0000    DEBUG SetAuthMethod() auth certificate "localhost"
      2018-11-16 12:38:28.504 +0000    DEBUG send_idm_request() server certificate info:
      2018-11-16 12:38:28.504 +0000    DEBUG send_idm_request() SubjectInfo: None
      None
      None
      None
      OpenIDM Self-Signed Certificate
      openidm-localhost
      2018-11-16 12:38:28.504 +0000    DEBUG send_idm_request() IssuerInfo: None
      None
      None
      None
      OpenIDM Self-Signed Certificate
      openidm-localhost
      2018-11-16 12:38:28.504 +0000    DEBUG send_idm_request() KeySize: 256
      2018-11-16 12:38:28.505 +0000    DEBUG send_idm_request() status: 401, response: {"code":401,"reason":"Unauthorized","message":"Access Denied","detail":{"failureReasons":[{"code":401,"reason":"Unauthorized","message":"Access denied, managed/user entry is not found"}]}}
      2018-11-16 12:38:28.505 +0000    ERROR do_remote_dispatch(): change request for user "initUser" failed, network status: 401, response: {"code":401,"reason":"Unauthorized","message":"Access Denied","detail":{"failureReasons":[{"code":401,"reason":"Unauthorized","message":"Access denied, managed/user entry is not found"}]}}

      Attachments

        Activity

          People

            mareks Mareks Malnacs
            miroslav.meca Miroslav Meca
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: