[OPENIDM-13993] Access to the old password in a mapping condition should require decrypt() Created: 24/Oct/19  Updated: 23/Jul/20  Resolved: 23/Jul/20

Status: Closed
Project: OpenIDM
Component/s: Module - Core mapping, synchronization, reconciliation
Affects Version/s: OpenIDM 6.0.0, 7.0.0,
Fix Version/s: 7.0.0

Type: Bug Priority: Major
Reporter: Cyril Grosjean Assignee: Chris Drake
Resolution: Fixed Votes: 0
Labels: CLARK, Customer, release-notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
depends on OPENIDM-13834 Remove password synchronization from ... Closed
is related to OPENIDM-13834 Remove password synchronization from ... Closed
Target Version/s:
Verified Version/s:
Story Points: 2
Sprint: 2020.02 - IDM, 2020.07 - IDM



When testing password sync from a managed user to an LDAP entry, using 7.0.0-SNAPSHOT (revision: 76c61e4), the fix for OpenIDM-9962 enabled, the LDAP connector 1.4.9 and the  "sync-with-ldap-bidirectional" sample, I noticed the condition to test whether the password should be updated is wrong:

the current condition is just "object.password != null". It will make IDM push not only changed passwords to the target resource, but also unchanged passwords.


the right condition seems to rather be: "openidm.decrypt(object.password) != oldSource.password;"


So, all the relevant samples should be modified accordingly.


2) The 1st issue above reveals a kind of inconsistency when reading password, since it's not obvious to know when a variable containing a password has to be decrypted (to be compared for example), and when it hasn't. For example, the password property of the object above has to be decrypted while the same property of the oldSource object doesn't.


3) For security reasons, it seems that the oldSource object should not contain clear text passwords. It could allow someone to access password when OpenIDM crashes for example.


Comment by Chris Drake [ 21/May/20 ]

Synchronization of password attributes has been removed from the OOTB samples unless the purpose of the sample is to explicitly demonstrate password sync.

Comment by Travis Haagen [ 17/Jul/20 ]

Verified OK for 7.0.x

No longer applicable for 7.0.x

Comment by Lana Frost [ 23/Jul/20 ]

Reopening to add to release notes

Generated at Sun May 09 07:09:06 UTC 2021 using Jira 8.16.0#816000-sha1:a455b91378454416b49bbc88d03e653cb9815ed5.