Anonymous_User Absent Member.
Absent Member.
268 views

LDAP Driver: Add operation does not encrypt password


Hi there,

does anyone know if this is an intended behavior or a bug?

I'm using the LDAP Driver 4.0.0.1 together with packages (LDAP Password
Synchronisation 1.0.0, etc.). When a new account is created into LDAP,
the corresponding event looks like this:

Code:
--------------------
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.2.4">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add cached-time="20140513131813.910Z" class-name="inetOrgPerson" dest-dn="UID=username,ou=Users,ou=TestTree,ou=Application,dc=acme,dc=de" event-id="IDMTEST01-NDS#20140513131813#1#3:c64ab857-1de5-4379-a6ef-9a3a759cbec0" qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121" timestamp="1399987093#4">
<add-attr attr-name="uid">
<value naming="true" timestamp="1279182782#53" type="string">username</value>
</add-attr>
<add-attr attr-name="cn">
<value timestamp="1378119680#2" type="string">John Smith</value>
</add-attr>
<add-attr attr-name="sn">
<value timestamp="1279182782#15" type="string">Smith</value>
</add-attr>
<password><!-- content suppressed --></password>
<operation-data attempt-to-match="true" unmatched-src-dn="cn=username,OU=Staff">
<entitlement-impl id="" name="Account" qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src="UA" src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121" state="1">{"ID":"LDAP Server"}</entitlement-impl>
<password-subscribe-status>
<association/>
</password-subscribe-status>
</operation-data>
</add>
</input>
</nds>
--------------------


And if gives me the following output:

Code:
--------------------
[05/13/14 15:18:14.323]:LDAP ST:LDAP: LDAPSub.performAddOperation() Calling getAllSups(inetOrgPerson)
[05/13/14 15:18:14.323]:LDAP ST:LDAP: LDAP Add:
dn: UID=username,ou=Users,ou=TestTree,ou=Application,dc=acme,dc=de
userpassword: <content suppressed>
uid: username
sn: Smith
cn: John Smith
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
--------------------


As you can see, the password is handled as a normal attribute, so it is
stored as cleartext in the LDAP Server.



Now when I trigger a modify event it looks like this:

Code:
--------------------
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.2.4">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="inetOrgPerson" event-id="IDMTEST01-NDS#20140513132207#1#1:59c2ee12-58f5-48da-b4c0-c2213ce1f57e" from-merge="true" qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121">
<association>uid=username,ou=users,ou=testtree,ou=application,dc=acme,dc=de</association>
<modify-attr attr-name="uid">
<remove-all-values/>
<add-value>
<value naming="true" timestamp="1279182782#53" type="string">username</value>
</add-value>
</modify-attr>
<modify-attr attr-name="cn">
<remove-all-values/>
<add-value>
<value timestamp="1378119680#2" type="string">John Smith</value>
</add-value>
</modify-attr>
<modify-attr attr-name="sn">
<remove-all-values/>
<add-value>
<value timestamp="1279182782#15" type="string">Smith</value>
</add-value>
</modify-attr>
<operation-data>
<entitlement-impl id="" name="Account" qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src="UA" src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121" state="1">{"ID":"LDAP Server"}</entitlement-impl>
</operation-data>
</modify>
<modify-password class-name="inetOrgPerson" event-id="pwd-subscribe" qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121">
<association>uid=username,ou=users,ou=testtree,ou=application,dc=acme,dc=de</association>
<password><!-- content suppressed --></password>
<operation-data>
<password-subscribe-status>
<association>uid=username,ou=users,ou=testtree,ou=application,dc=acme,dc=de</association>
</password-subscribe-status>
</operation-data>
</modify-password>
</input>
</nds>
--------------------


And the output is different too:

Code:
--------------------
[05/13/14 15:22:07.383]:LDAP ST:LDAP: LDAP Modify: uid=username,ou=users,ou=testtree,ou=application,dc=acme,dc=de
LDAPModification: (operation=replace,(LDAPAttribute: {type='uid', value='username'}))
LDAPModification: (operation=replace,(LDAPAttribute: {type='cn', value='John Smith'}))
LDAPModification: (operation=replace,(LDAPAttribute: {type='sn', value='Smith'}))
[05/13/14 15:22:07.388]:LDAP ST:LDAP: LDAPInterface.doPasswordModify() The driver detected that the LDAP server supports the password modify extended operation (1.3.6.1.4.1.4203.1.11.1), so we'll attempt to set the password that way.
[05/13/14 15:22:07.398]:LDAP ST:LDAP: LDAPInterface.doPasswordModify() Password change succeeded.
--------------------


This time, it detected a "password modify extended operation" and the
password is encrypted as SSHA in the LDAP Server.


So why is the password not encrypted right in the add event? Is there
something wrong with the policy (NOVLPWDSYNC-sub-ctp-TransformDistPwd),
or is this some kind of feature I don't understand?
Did anyone built a workaround for this already?


--
d_redner
------------------------------------------------------------------------
d_redner's Profile: https://forums.netiq.com/member.php?userid=790
View this thread: https://forums.netiq.com/showthread.php?t=50837

Labels (1)
0 Likes
4 Replies
Knowledge Partner
Knowledge Partner

Re: LDAP Driver: Add operation does not encrypt password

Add an OTP rule.
if op=add
if password available

Then
set destination attribute userPassword to op-attr userPassword, when=after.

Strip op-attr user-password.

This will break it into an add, then a modify of password for you.


On 5/13/2014 10:04 AM, d redner wrote:
>
> Hi there,
>
> does anyone know if this is an intended behavior or a bug?
>
> I'm using the LDAP Driver 4.0.0.1 together with packages (LDAP Password
> Synchronisation 1.0.0, etc.). When a new account is created into LDAP,
> the corresponding event looks like this:
>
> Code:
> --------------------
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.0.2.4">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <add cached-time="20140513131813.910Z" class-name="inetOrgPerson" dest-dn="UID=username,ou=Users,ou=TestTree,ou=Application,dc=acme,dc=de" event-id="IDMTEST01-NDS#20140513131813#1#3:c64ab857-1de5-4379-a6ef-9a3a759cbec0" qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121" timestamp="1399987093#4">
> <add-attr attr-name="uid">
> <value naming="true" timestamp="1279182782#53" type="string">username</value>
> </add-attr>
> <add-attr attr-name="cn">
> <value timestamp="1378119680#2" type="string">John Smith</value>
> </add-attr>
> <add-attr attr-name="sn">
> <value timestamp="1279182782#15" type="string">Smith</value>
> </add-attr>
> <password><!-- content suppressed --></password>
> <operation-data attempt-to-match="true" unmatched-src-dn="cn=username,OU=Staff">
> <entitlement-impl id="" name="Account" qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src="UA" src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121" state="1">{"ID":"LDAP Server"}</entitlement-impl>
> <password-subscribe-status>
> <association/>
> </password-subscribe-status>
> </operation-data>
> </add>
> </input>
> </nds>
> --------------------
>
>
> And if gives me the following output:
>
> Code:
> --------------------
> [05/13/14 15:18:14.323]:LDAP ST:LDAP: LDAPSub.performAddOperation() Calling getAllSups(inetOrgPerson)
> [05/13/14 15:18:14.323]:LDAP ST:LDAP: LDAP Add:
> dn: UID=username,ou=Users,ou=TestTree,ou=Application,dc=acme,dc=de
> userpassword: <content suppressed>
> uid: username
> sn: Smith
> cn: John Smith
> objectclass: inetOrgPerson
> objectclass: organizationalPerson
> objectclass: person
> objectclass: top
> --------------------
>
>
> As you can see, the password is handled as a normal attribute, so it is
> stored as cleartext in the LDAP Server.
>
>
>
> Now when I trigger a modify event it looks like this:
>
> Code:
> --------------------
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.0.2.4">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <modify class-name="inetOrgPerson" event-id="IDMTEST01-NDS#20140513132207#1#1:59c2ee12-58f5-48da-b4c0-c2213ce1f57e" from-merge="true" qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121">
> <association>uid=username,ou=users,ou=testtree,ou=application,dc=acme,dc=de</association>
> <modify-attr attr-name="uid">
> <remove-all-values/>
> <add-value>
> <value naming="true" timestamp="1279182782#53" type="string">username</value>
> </add-value>
> </modify-attr>
> <modify-attr attr-name="cn">
> <remove-all-values/>
> <add-value>
> <value timestamp="1378119680#2" type="string">John Smith</value>
> </add-value>
> </modify-attr>
> <modify-attr attr-name="sn">
> <remove-all-values/>
> <add-value>
> <value timestamp="1279182782#15" type="string">Smith</value>
> </add-value>
> </modify-attr>
> <operation-data>
> <entitlement-impl id="" name="Account" qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src="UA" src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121" state="1">{"ID":"LDAP Server"}</entitlement-impl>
> </operation-data>
> </modify>
> <modify-password class-name="inetOrgPerson" event-id="pwd-subscribe" qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121">
> <association>uid=username,ou=users,ou=testtree,ou=application,dc=acme,dc=de</association>
> <password><!-- content suppressed --></password>
> <operation-data>
> <password-subscribe-status>
> <association>uid=username,ou=users,ou=testtree,ou=application,dc=acme,dc=de</association>
> </password-subscribe-status>
> </operation-data>
> </modify-password>
> </input>
> </nds>
> --------------------
>
>
> And the output is different too:
>
> Code:
> --------------------
> [05/13/14 15:22:07.383]:LDAP ST:LDAP: LDAP Modify: uid=username,ou=users,ou=testtree,ou=application,dc=acme,dc=de
> LDAPModification: (operation=replace,(LDAPAttribute: {type='uid', value='username'}))
> LDAPModification: (operation=replace,(LDAPAttribute: {type='cn', value='John Smith'}))
> LDAPModification: (operation=replace,(LDAPAttribute: {type='sn', value='Smith'}))
> [05/13/14 15:22:07.388]:LDAP ST:LDAP: LDAPInterface.doPasswordModify() The driver detected that the LDAP server supports the password modify extended operation (1.3.6.1.4.1.4203.1.11.1), so we'll attempt to set the password that way.
> [05/13/14 15:22:07.398]:LDAP ST:LDAP: LDAPInterface.doPasswordModify() Password change succeeded.
> --------------------
>
>
> This time, it detected a "password modify extended operation" and the
> password is encrypted as SSHA in the LDAP Server.
>
>
> So why is the password not encrypted right in the add event? Is there
> something wrong with the policy (NOVLPWDSYNC-sub-ctp-TransformDistPwd),
> or is this some kind of feature I don't understand?
> Did anyone built a workaround for this already?
>
>


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAP Driver: Add operation does not encrypt password


Hi,

thanks for your help. I tried your solution, the Event Looks like this
now:

Code:
--------------------

<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.2.4">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add cached-time="20140514072521.209Z" class-name="inetOrgPerson" dest-dn="UID=username,ou=Users,ou=TestTree,ou=Application,dc=acme,dc=de" event-id="IDMTEST01-NDS#20140514072520#1#3:56cc0b09-5767-4fad-b2c4-e02f3baf2493" qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121" timestamp="1400052320#5">
<add-attr attr-name="uid">
<value naming="true" timestamp="1279182782#53" type="string">username</value>
</add-attr>
<add-attr attr-name="cn">
<value timestamp="1378119680#2" type="string">John Smith</value>
</add-attr>
<add-attr attr-name="sn">
<value timestamp="1279182782#15" type="string">Smith</value>
</add-attr>
<password><!-- content suppressed --></password>
<operation-data attempt-to-match="true" unmatched-src-dn="cn=username,OU=Staff">
<entitlement-impl id="" name="Account" qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src="UA" src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121" state="1">{"ID":"LDAP Server"}</entitlement-impl>
<password-subscribe-status>
<association/>
</password-subscribe-status>
</operation-data>
</add>
<modify class-name="inetOrgPerson" dest-dn="UID=username,ou=Users,ou=TestTree,ou=Application,dc=acme,dc=de" event-id="IDMTEST01-NDS#20140514072520#1#3:56cc0b09-5767-4fad-b2c4-e02f3baf2493" qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121">
<modify-attr attr-name="userPassword">
<remove-all-values/>
<add-value>
<value type="string"/>
</add-value>
</modify-attr>
</modify>
</input>
</nds>

--------------------


The Password Attribute Looks empty (maybe in tracelog?), but it claims
there is no association:

Code:
--------------------

[05/14/14 09:25:21.648]:LDAP ST:LDAP: LDAPSub.performModifyOperation() No association key for modification operation.

--------------------

This makes sense, because at this time there doesn't exist an
association.

I'll try a different approach and post it here later.




geoffc;244512 Wrote:
> Add an OTP rule.
> if op=add
> if password available
>
> Then
> set destination attribute userPassword to op-attr userPassword,
> when=after.
>
> Strip op-attr user-password.
>
> This will break it into an add, then a modify of password for you.
>
>
> On 5/13/2014 10:04 AM, d redner wrote:
> >
> > Hi there,
> >
> > does anyone know if this is an intended behavior or a bug?
> >
> > I'm using the LDAP Driver 4.0.0.1 together with packages (LDAP

> Password
> > Synchronisation 1.0.0, etc.). When a new account is created into

> LDAP,
> > the corresponding event looks like this:
> >
> > Code:
> > --------------------
> > <nds dtdversion="4.0" ndsversion="8.x">
> > <source>
> > <product edition="Advanced" version="4.0.2.4">DirXML</product>
> > <contact>Novell, Inc.</contact>
> > </source>
> > <input>
> > <add cached-time="20140513131813.910Z" class-name="inetOrgPerson"

> dest-dn="UID=username,ou=Users,ou=TestTree,ou=Application,dc=acme,dc=de"
> event-id="IDMTEST01-NDS#20140513131813#1#3:c64ab857-1de5-4379-a6ef-9a3a759cbec0"
> qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username"
> src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121"
> timestamp="1399987093#4">
> > <add-attr attr-name="uid">
> > <value naming="true" timestamp="1279182782#53"

> type="string">username</value>
> > </add-attr>
> > <add-attr attr-name="cn">
> > <value timestamp="1378119680#2" type="string">John Smith</value>
> > </add-attr>
> > <add-attr attr-name="sn">
> > <value timestamp="1279182782#15" type="string">Smith</value>
> > </add-attr>
> > <password><!-- content suppressed --></password>
> > <operation-data attempt-to-match="true"

> unmatched-src-dn="cn=username,OU=Staff">
> > <entitlement-impl id="" name="Account"

> qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src="UA"
> src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121"
> state="1">{"ID":"LDAP Server"}</entitlement-impl>
> > <password-subscribe-status>
> > <association/>
> > </password-subscribe-status>
> > </operation-data>
> > </add>
> > </input>
> > </nds>
> > --------------------
> >
> >
> > And if gives me the following output:
> >
> > Code:
> > --------------------
> > [05/13/14 15:18:14.323]:LDAP ST:LDAP:

> LDAPSub.performAddOperation() Calling getAllSups(inetOrgPerson)
> > [05/13/14 15:18:14.323]:LDAP ST:LDAP: LDAP Add:
> > dn: UID=username,ou=Users,ou=TestTree,ou=Application,dc=acme,dc=de
> > userpassword: <content suppressed>
> > uid: username
> > sn: Smith
> > cn: John Smith
> > objectclass: inetOrgPerson
> > objectclass: organizationalPerson
> > objectclass: person
> > objectclass: top
> > --------------------
> >
> >
> > As you can see, the password is handled as a normal attribute, so it

> is
> > stored as cleartext in the LDAP Server.
> >
> >
> >
> > Now when I trigger a modify event it looks like this:
> >
> > Code:
> > --------------------
> > <nds dtdversion="4.0" ndsversion="8.x">
> > <source>
> > <product edition="Advanced" version="4.0.2.4">DirXML</product>
> > <contact>Novell, Inc.</contact>
> > </source>
> > <input>
> > <modify class-name="inetOrgPerson"

> event-id="IDMTEST01-NDS#20140513132207#1#1:59c2ee12-58f5-48da-b4c0-c2213ce1f57e"
> from-merge="true"
> qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username"
> src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121">
> >

> <association>uid=username,ou=users,ou=testtree,ou=application,dc=acme,dc=de</association>
> > <modify-attr attr-name="uid">
> > <remove-all-values/>
> > <add-value>
> > <value naming="true" timestamp="1279182782#53"

> type="string">username</value>
> > </add-value>
> > </modify-attr>
> > <modify-attr attr-name="cn">
> > <remove-all-values/>
> > <add-value>
> > <value timestamp="1378119680#2" type="string">John Smith</value>
> > </add-value>
> > </modify-attr>
> > <modify-attr attr-name="sn">
> > <remove-all-values/>
> > <add-value>
> > <value timestamp="1279182782#15" type="string">Smith</value>
> > </add-value>
> > </modify-attr>
> > <operation-data>
> > <entitlement-impl id="" name="Account"

> qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src="UA"
> src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121"
> state="1">{"ID":"LDAP Server"}</entitlement-impl>
> > </operation-data>
> > </modify>
> > <modify-password class-name="inetOrgPerson"

> event-id="pwd-subscribe"
> qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username"
> src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121">
> >

> <association>uid=username,ou=users,ou=testtree,ou=application,dc=acme,dc=de</association>
> > <password><!-- content suppressed --></password>
> > <operation-data>
> > <password-subscribe-status>
> >

> <association>uid=username,ou=users,ou=testtree,ou=application,dc=acme,dc=de</association>
> > </password-subscribe-status>
> > </operation-data>
> > </modify-password>
> > </input>
> > </nds>
> > --------------------
> >
> >
> > And the output is different too:
> >
> > Code:
> > --------------------
> > [05/13/14 15:22:07.383]:LDAP ST:LDAP: LDAP Modify:

> uid=username,ou=users,ou=testtree,ou=application,dc=acme,dc=de
> > LDAPModification: (operation=replace,(LDAPAttribute: {type='uid',

> value='username'}))
> > LDAPModification: (operation=replace,(LDAPAttribute: {type='cn',

> value='John Smith'}))
> > LDAPModification: (operation=replace,(LDAPAttribute: {type='sn',

> value='Smith'}))
> > [05/13/14 15:22:07.388]:LDAP ST:LDAP:

> LDAPInterface.doPasswordModify() The driver detected that the LDAP
> server supports the password modify extended operation
> (1.3.6.1.4.1.4203.1.11.1), so we'll attempt to set the password that
> way.
> > [05/13/14 15:22:07.398]:LDAP ST:LDAP:

> LDAPInterface.doPasswordModify() Password change succeeded.
> > --------------------
> >
> >
> > This time, it detected a "password modify extended operation" and the
> > password is encrypted as SSHA in the LDAP Server.
> >
> >
> > So why is the password not encrypted right in the add event? Is there
> > something wrong with the policy

> (NOVLPWDSYNC-sub-ctp-TransformDistPwd),
> > or is this some kind of feature I don't understand?
> > Did anyone built a workaround for this already?
> >
> >



--
d_redner
------------------------------------------------------------------------
d_redner's Profile: https://forums.netiq.com/member.php?userid=790
View this thread: https://forums.netiq.com/showthread.php?t=50837

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAP Driver: Add operation does not encrypt password


Ok, now I got it. I've developed the following policy which I put right
after "NOVLPWDSYNC-sub-ctp-TransformDistPwd" in the command
Transformation:

Code:
--------------------

<rule>
<description>Convert adds of password elements to modify-password elements</description>
<comment name="author" xml:space="preserve">Redner</comment>
<comment name="version" xml:space="preserve">3</comment>
<comment name="lastchanged" xml:space="preserve">14.05.2014</comment>
<conditions>
<and>
<if-operation op="equal">add</if-operation>
<if-password op="available"/>
</and>
</conditions>
<actions>
<!-- Add a new modify-password operation after our add operation, containing our current password-->
<do-set-dest-password when="after">
<arg-string>
<token-password/>
</arg-string>
</do-set-dest-password>
<!-- Set the event-id to pwdsubscribe -->
<!-- This is done in the pw modify rule from "NOVLPWDSYNC-sub-ctp-TransformDistPwd", so it looks mandatory -->
<do-set-xml-attr expression="../modify-password" name="event-id">
<arg-string>
<token-text>pwd-subscribe</token-text>
</arg-string>
</do-set-xml-attr>
<!-- Create an association element and set it to the destination DN, otherwise the operations fails -->
<do-append-xml-element expression="../modify-password" name="association"/>
<do-append-xml-text expression="../modify-password/association">
<arg-string>
<token-dest-dn/>
</arg-string>
</do-append-xml-text>
<!-- Remove the password element from the add operation -->
<do-strip-xpath expression="password"/>
</actions>
</rule>

--------------------


I do a copy of the password, which creates a password-modify element.
Then I add event-id=pwd-subscribe, the association and remove the
password element from the current add.


And the Event Looks like this now:

Code:
--------------------

[05/14/14 10:13:38.692]:LDAP ST:Submitting document to subscriber shim:
[05/14/14 10:13:38.692]:LDAP ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.2.4">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add cached-time="20140514081338.263Z" class-name="inetOrgPerson" dest-dn="UID=username,ou=Users,ou=TestTree,ou=Application,dc=acme,dc=de" event-id="IDMTEST01-NDS#20140514081338#1#2:8731061e-9de8-4613-9b9b-475f67f7e7c4" qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121" timestamp="1400055218#4">
<add-attr attr-name="uid">
<value naming="true" timestamp="1279182782#53" type="string">username</value>
</add-attr>
<add-attr attr-name="cn">
<value timestamp="1378119680#2" type="string">John Smith</value>
</add-attr>
<add-attr attr-name="sn">
<value timestamp="1279182782#15" type="string">Smith</value>
</add-attr>
<operation-data attempt-to-match="true" unmatched-src-dn="cn=username,OU=Staff">
<entitlement-impl id="" name="Account" qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src="UA" src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121" state="1">{"ID":"LDAP Server"}</entitlement-impl>
</operation-data>
</add>
<modify-password class-name="inetOrgPerson" dest-dn="UID=username,ou=Users,ou=TestTree,ou=Application,dc=acme,dc=de" event-id="pwd-subscribe" qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121">
<password><!-- content suppressed --></password>
<association>UID=username,ou=Users,ou=TestTree,ou=Application,dc=acme,dc=de</association>
<operation-data>
<password-subscribe-status>
<association>UID=username,ou=Users,ou=TestTree,ou=Application,dc=acme,dc=de</association>
</password-subscribe-status>
</operation-data>
</modify-password>
</input>
</nds>
[05/14/14 10:13:38.695]:LDAP ST:Stripping operation data from input document
[05/14/14 10:13:38.695]:LDAP ST:LDAP: LDAPSub.performAddOperation() Calling getAllSups(inetOrgPerson)
[05/14/14 10:13:38.695]:LDAP ST:LDAP: LDAP Add:
dn: UID=username,ou=Users,ou=TestTree,ou=Application,dc=acme,dc=de
uid: username
sn: Smith
cn: John Smith
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top

[05/14/14 10:13:38.710]:LDAP ST:LDAP: LDAPInterface.doPasswordModify() The driver detected that the LDAP server supports the password modify extended operation (1.3.6.1.4.1.4203.1.11.1), so we'll attempt to set the password that way.
[05/14/14 10:13:38.718]:LDAP ST:LDAP: LDAPInterface.doPasswordModify() Password change succeeded.

--------------------


Thanks for the initial idea for this :D.





d_redner;244541 Wrote:
> Hi,
>
> thanks for your help. I tried your solution, the Event Looks like this
> now:
> >

Code:
--------------------
> >

> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.0.2.4">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <add cached-time="20140514072521.209Z" class-name="inetOrgPerson" dest-dn="UID=username,ou=Users,ou=TestTree,ou=Application,dc=acme,dc=de" event-id="IDMTEST01-NDS#20140514072520#1#3:56cc0b09-5767-4fad-b2c4-e02f3baf2493" qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121" timestamp="1400052320#5">
> <add-attr attr-name="uid">
> <value naming="true" timestamp="1279182782#53" type="string">username</value>
> </add-attr>
> <add-attr attr-name="cn">
> <value timestamp="1378119680#2" type="string">John Smith</value>
> </add-attr>
> <add-attr attr-name="sn">
> <value timestamp="1279182782#15" type="string">Smith</value>
> </add-attr>
> <password><!-- content suppressed --></password>
> <operation-data attempt-to-match="true" unmatched-src-dn="cn=username,OU=Staff">
> <entitlement-impl id="" name="Account" qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src="UA" src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121" state="1">{"ID":"LDAP Server"}</entitlement-impl>
> <password-subscribe-status>
> <association/>
> </password-subscribe-status>
> </operation-data>
> </add>
> <modify class-name="inetOrgPerson" dest-dn="UID=username,ou=Users,ou=TestTree,ou=Application,dc=acme,dc=de" event-id="IDMTEST01-NDS#20140514072520#1#3:56cc0b09-5767-4fad-b2c4-e02f3baf2493" qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121">
> <modify-attr attr-name="userPassword">
> <remove-all-values/>
> <add-value>
> <value type="string"/>
> </add-value>
> </modify-attr>
> </modify>
> </input>
> </nds>
>

--------------------
> >

>
> The Password Attribute Looks empty (maybe in tracelog?), but it claims
> there is no association:
> >

Code:
--------------------
> >

> [05/14/14 09:25:21.648]:LDAP ST:LDAP: LDAPSub.performModifyOperation() No association key for modification operation.
>

--------------------
> >

> This makes sense, because at this time there doesn't exist an
> association.
>
> I'll try a different approach and post it here later.



--
d_redner
------------------------------------------------------------------------
d_redner's Profile: https://forums.netiq.com/member.php?userid=790
View this thread: https://forums.netiq.com/showthread.php?t=50837

0 Likes
Knowledge Partner
Knowledge Partner

Re: LDAP Driver: Add operation does not encrypt password

The difference in the two approaches is sort of based on where you do
the change.

Just modifying userPassword (my initial assumption) might have worked
better if the modify was of nspmDistributionPassword, and happened
before the Command Transform password rules. Then they would have
transformed it into a <modify-password> event. (Which is their job to do).

Glad it helped.


On 5/14/2014 4:34 AM, d redner wrote:
>
> Ok, now I got it. I've developed the following policy which I put right
> after "NOVLPWDSYNC-sub-ctp-TransformDistPwd" in the command
> Transformation:
>
> Code:
> --------------------
>
> <rule>
> <description>Convert adds of password elements to modify-password elements</description>
> <comment name="author" xml:space="preserve">Redner</comment>
> <comment name="version" xml:space="preserve">3</comment>
> <comment name="lastchanged" xml:space="preserve">14.05.2014</comment>
> <conditions>
> <and>
> <if-operation op="equal">add</if-operation>
> <if-password op="available"/>
> </and>
> </conditions>
> <actions>
> <!-- Add a new modify-password operation after our add operation, containing our current password-->
> <do-set-dest-password when="after">
> <arg-string>
> <token-password/>
> </arg-string>
> </do-set-dest-password>
> <!-- Set the event-id to pwdsubscribe -->
> <!-- This is done in the pw modify rule from "NOVLPWDSYNC-sub-ctp-TransformDistPwd", so it looks mandatory -->
> <do-set-xml-attr expression="../modify-password" name="event-id">
> <arg-string>
> <token-text>pwd-subscribe</token-text>
> </arg-string>
> </do-set-xml-attr>
> <!-- Create an association element and set it to the destination DN, otherwise the operations fails -->
> <do-append-xml-element expression="../modify-password" name="association"/>
> <do-append-xml-text expression="../modify-password/association">
> <arg-string>
> <token-dest-dn/>
> </arg-string>
> </do-append-xml-text>
> <!-- Remove the password element from the add operation -->
> <do-strip-xpath expression="password"/>
> </actions>
> </rule>
>
> --------------------
>
>
> I do a copy of the password, which creates a password-modify element.
> Then I add event-id=pwd-subscribe, the association and remove the
> password element from the current add.
>
>
> And the Event Looks like this now:
>
> Code:
> --------------------
>
> [05/14/14 10:13:38.692]:LDAP ST:Submitting document to subscriber shim:
> [05/14/14 10:13:38.692]:LDAP ST:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.0.2.4">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <add cached-time="20140514081338.263Z" class-name="inetOrgPerson" dest-dn="UID=username,ou=Users,ou=TestTree,ou=Application,dc=acme,dc=de" event-id="IDMTEST01-NDS#20140514081338#1#2:8731061e-9de8-4613-9b9b-475f67f7e7c4" qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121" timestamp="1400055218#4">
> <add-attr attr-name="uid">
> <value naming="true" timestamp="1279182782#53" type="string">username</value>
> </add-attr>
> <add-attr attr-name="cn">
> <value timestamp="1378119680#2" type="string">John Smith</value>
> </add-attr>
> <add-attr attr-name="sn">
> <value timestamp="1279182782#15" type="string">Smith</value>
> </add-attr>
> <operation-data attempt-to-match="true" unmatched-src-dn="cn=username,OU=Staff">
> <entitlement-impl id="" name="Account" qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src="UA" src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121" state="1">{"ID":"LDAP Server"}</entitlement-impl>
> </operation-data>
> </add>
> <modify-password class-name="inetOrgPerson" dest-dn="UID=username,ou=Users,ou=TestTree,ou=Application,dc=acme,dc=de" event-id="pwd-subscribe" qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121">
> <password><!-- content suppressed --></password>
> <association>UID=username,ou=Users,ou=TestTree,ou=Application,dc=acme,dc=de</association>
> <operation-data>
> <password-subscribe-status>
> <association>UID=username,ou=Users,ou=TestTree,ou=Application,dc=acme,dc=de</association>
> </password-subscribe-status>
> </operation-data>
> </modify-password>
> </input>
> </nds>
> [05/14/14 10:13:38.695]:LDAP ST:Stripping operation data from input document
> [05/14/14 10:13:38.695]:LDAP ST:LDAP: LDAPSub.performAddOperation() Calling getAllSups(inetOrgPerson)
> [05/14/14 10:13:38.695]:LDAP ST:LDAP: LDAP Add:
> dn: UID=username,ou=Users,ou=TestTree,ou=Application,dc=acme,dc=de
> uid: username
> sn: Smith
> cn: John Smith
> objectclass: inetOrgPerson
> objectclass: organizationalPerson
> objectclass: person
> objectclass: top
>
> [05/14/14 10:13:38.710]:LDAP ST:LDAP: LDAPInterface.doPasswordModify() The driver detected that the LDAP server supports the password modify extended operation (1.3.6.1.4.1.4203.1.11.1), so we'll attempt to set the password that way.
> [05/14/14 10:13:38.718]:LDAP ST:LDAP: LDAPInterface.doPasswordModify() Password change succeeded.
>
> --------------------
>
>
> Thanks for the initial idea for this :D.
>
>
>
>
>
> d_redner;244541 Wrote:
>> Hi,
>>
>> thanks for your help. I tried your solution, the Event Looks like this
>> now:
>>>

> Code:
> --------------------
> > >

> > <nds dtdversion="4.0" ndsversion="8.x">
> > <source>
> > <product edition="Advanced" version="4.0.2.4">DirXML</product>
> > <contact>Novell, Inc.</contact>
> > </source>
> > <input>
> > <add cached-time="20140514072521.209Z" class-name="inetOrgPerson" dest-dn="UID=username,ou=Users,ou=TestTree,ou=Application,dc=acme,dc=de" event-id="IDMTEST01-NDS#20140514072520#1#3:56cc0b09-5767-4fad-b2c4-e02f3baf2493" qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121" timestamp="1400052320#5">
> > <add-attr attr-name="uid">
> > <value naming="true" timestamp="1279182782#53" type="string">username</value>
> > </add-attr>
> > <add-attr attr-name="cn">
> > <value timestamp="1378119680#2" type="string">John Smith</value>
> > </add-attr>
> > <add-attr attr-name="sn">
> > <value timestamp="1279182782#15" type="string">Smith</value>
> > </add-attr>
> > <password><!-- content suppressed --></password>
> > <operation-data attempt-to-match="true" unmatched-src-dn="cn=username,OU=Staff">
> > <entitlement-impl id="" name="Account" qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src="UA" src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121" state="1">{"ID":"LDAP Server"}</entitlement-impl>
> > <password-subscribe-status>
> > <association/>
> > </password-subscribe-status>
> > </operation-data>
> > </add>
> > <modify class-name="inetOrgPerson" dest-dn="UID=username,ou=Users,ou=TestTree,ou=Application,dc=acme,dc=de" event-id="IDMTEST01-NDS#20140514072520#1#3:56cc0b09-5767-4fad-b2c4-e02f3baf2493" qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121">
> > <modify-attr attr-name="userPassword">
> > <remove-all-values/>
> > <add-value>
> > <value type="string"/>
> > </add-value>
> > </modify-attr>
> > </modify>
> > </input>
> > </nds>
> >

> --------------------
>>>

>>
>> The Password Attribute Looks empty (maybe in tracelog?), but it claims
>> there is no association:
>>>

> Code:
> --------------------
> > >

> > [05/14/14 09:25:21.648]:LDAP ST:LDAP: LDAPSub.performModifyOperation() No association key for modification operation.
> >

> --------------------
>>>

>> This makes sense, because at this time there doesn't exist an
>> association.
>>
>> I'll try a different approach and post it here later.

>
>


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.