Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-6818

OpenIDM ICF Provisioner 'runAs' use-case is broken when integrating with OpenDJ




      Password changes via the Self-Service UI with OpenIDM 5.0.0-SNAPSHOT in conjunction with the LDAP Connector and passthrough authentication (aka Sample2d) do not behave as expected.

      Specifically the behavior of OpenIDM with respect to password changes and the ICF 'RunAs' operation does not appear to be correct.

      1. Password change via Self-Service UI
        • Sample2d with the OOTB config works, however it performs a Administrative Reset and not a Password Change on behalf of the authenticated user.
        • Sample2d with runAsUser set on the userPassword property within the provisioner fails to perform a Password Change on behalf of the authenticated user. See the following:
          [06/Oct/2016:11:17:27 -0400] CONNECT conn=31 from= to= protocol=LDAP
          [06/Oct/2016:11:17:27 -0400] BIND REQ conn=31 op=0 msgID=1 version=3 type=SIMPLE dn="uid=cgdrake,ou=People,dc=example,dc=com"
          [06/Oct/2016:11:17:27 -0400] BIND RES conn=31 op=0 msgID=1 result=0 authDN="uid=cgdrake,ou=People,dc=example,dc=com" etime=0
          [06/Oct/2016:11:17:27 -0400] MODIFY REQ conn=31 op=1 msgID=2 dn="uid=cgdrake,ou=People,dc=example,dc=com"
          [06/Oct/2016:11:17:27 -0400] MODIFY RES conn=31 op=1 msgID=2 result=50 message="The entry uid=cgdrake,ou=People,dc=example,dc=com cannot be modified due to insufficient access rights" etime=0
          [06/Oct/2016:11:17:27 -0400] UNBIND REQ conn=31 op=2 msgID=3
          [06/Oct/2016:11:17:27 -0400] DISCONNECT conn=31 reason="Client Unbind"

          The above is caused by the fact that the OpenICF Provisioner requies that the uid attribute be present in the request payload in order to identify the runAsUser. Consequently when the LDAP Modify operation is performed against the remote LDAP server, both uid and userPassword are modified and the OOTB OpenDJ Global ACIs do not allow regular users to modify their uid attribute.

      2. Progammatic Password Change via openidm script functions.
        • It's not possible to provide the X-OpenIDM-Reauth-Password within programmatic calls to openidm.XYZ(). Therfore the Password Change usecase cannot be fullfilled when using a custom endpoint as the entry point.
      3. Sample LDAP provisioners are missing the runAsUser option
      4. As a result of 1b) and 2) above, coexisting with various LDAP Password Policies is difficult if not impossible. For example, assume a password policy which dictates that users must change their password within 1hr after a administrative reset:
        ds-cfg-force-change-on-reset: true
        ds-cfg-max-password-reset-age: 3600 seconds

        With the above policy in place on the remote LDAP Server, the OpenIDM Self-Service UI cannot fullfill the Password Change requirement as changes via the Self-Service UI will be handled as administrative resets.


          Issue Links



              cgdrake Chris Drake
              cgdrake Chris Drake
              0 Vote for this issue
              4 Start watching this issue