Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-13993

Access to the old password in a mapping condition should require decrypt()

    Details

    • Target Version/s:
    • Verified Version/s:
    • Story Points:
      2
    • Sprint:
      2020.02 - IDM, 2020.07 - IDM

      Description

      1)

      When testing password sync from a managed user to an LDAP entry, using 7.0.0-SNAPSHOT (revision: 76c61e4), the fix for OpenIDM-9962 enabled, the LDAP connector 1.4.9 and the  "sync-with-ldap-bidirectional" sample, I noticed the condition to test whether the password should be updated is wrong:

      the current condition is just "object.password != null". It will make IDM push not only changed passwords to the target resource, but also unchanged passwords.

       

      the right condition seems to rather be: "openidm.decrypt(object.password) != oldSource.password;"

       

      So, all the relevant samples should be modified accordingly.

       

      2) The 1st issue above reveals a kind of inconsistency when reading password, since it's not obvious to know when a variable containing a password has to be decrypted (to be compared for example), and when it hasn't. For example, the password property of the object above has to be decrypted while the same property of the oldSource object doesn't.

       

      3) For security reasons, it seems that the oldSource object should not contain clear text passwords. It could allow someone to access password when OpenIDM crashes for example.

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                cgdrake Chris Drake
                Reporter:
                cgrosjean Cyril Grosjean
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: