[OPENIDM-13993] Access to the old password in a mapping condition should require decrypt() Created: 24/Oct/19 Updated: 23/Jul/20 Resolved: 23/Jul/20
|Component/s:||Module - Core mapping, synchronization, reconciliation|
|Affects Version/s:||OpenIDM 6.0.0, 7.0.0, 188.8.131.52|
|Reporter:||Cyril Grosjean||Assignee:||Chris Drake|
|Labels:||CLARK, Customer, release-notes|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
|Sprint:||2020.02 - IDM, 2020.07 - IDM|
When testing password sync from a managed user to an LDAP entry, using 7.0.0-SNAPSHOT (revision: 76c61e4), the fix for OpenIDM-9962 enabled, the LDAP connector 1.4.9 and the "sync-with-ldap-bidirectional" sample, I noticed the condition to test whether the password should be updated is wrong:
the current condition is just "object.password != null". It will make IDM push not only changed passwords to the target resource, but also unchanged passwords.
the right condition seems to rather be: "openidm.decrypt(object.password) != oldSource.password;"
So, all the relevant samples should be modified accordingly.
2) The 1st issue above reveals a kind of inconsistency when reading password, since it's not obvious to know when a variable containing a password has to be decrypted (to be compared for example), and when it hasn't. For example, the password property of the object above has to be decrypted while the same property of the oldSource object doesn't.
3) For security reasons, it seems that the oldSource object should not contain clear text passwords. It could allow someone to access password when OpenIDM crashes for example.
|Comment by Chris Drake [ 21/May/20 ]|
Synchronization of password attributes has been removed from the OOTB samples unless the purpose of the sample is to explicitly demonstrate password sync.
|Comment by Travis Haagen [ 17/Jul/20 ]|
Verified OK for 7.0.x
No longer applicable for 7.0.x
|Comment by Lana Frost [ 23/Jul/20 ]|
Reopening to add to release notes