Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-13834

Remove password synchronization from samples which do not specifically address password sync use-cases

    XMLWordPrintable

    Details

    • Type: Story
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 7.0.0
    • Fix Version/s: 7.0.0
    • Component/s: _Samples
    • Labels:
    • Target Version/s:
    • Verified Version/s:
    • Story Points:
      2
    • Sprint:
      2020.06 - IDM, 2020.07 - IDM

      Description

      Various samples bundled with OpenIDM include sync.json files with mappings which sync Managed User passwords to external resources.

      In most cases the mapping to the external resource does not properly handle password sync and therefore demonstrates bad practices which when adopted by customers result in support tickets.

      Take the following extract of the sync-with-ldap-bideirectional sample:

                      {
                          "source" : "password",
                          "condition" : {
                              "type" : "text/javascript",
                              "source" : "object.password != null"
                          },
                          "transform" : {
                              "type" : "text/javascript",
                              "source" : "openidm.decrypt(source);"
                          },
                          "target" : "userPassword"
                      },
      

      The above is flawed in that it results in the managed user password always being pushed out to the target account.  Effectively a recon run with the above mapping will always result in the target account being updated irrespective of whether a change has occurred within the managed user. A proper implementation of password synchronization must track the old password in order to implement a proper condition whereby a check of the old/new passwords can be performed.

      Samples within OpenIDM are intended to be narrow in scope and demonstrate very specific use-cases.  Samples which do not specifically demonstrate password synchronization should not map managed user passwords to external resources.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              cgdrake Chris Drake
              Reporter:
              cgdrake Chris Drake
              QA Assignee:
              Julian Keller Julian Keller
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: