Uploaded image for project: 'MidPoint'
  1. MidPoint
  2. MID-3676

Password generator does not use per-organization password policy when creating users

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.5.1
    • Fix Version/s: distant future
    • Component/s: None
    • Labels:
      None
    • Environment:

      MC101 training samples

    • Git Revision:
      v3.5support-1-g63acf30

      Description

      1. default password policy is set to at least 8 characters
      2. per-organization password policy is set to at least 10 characters
      3. user is created using LiveSync, password is generated using global password policy (this is OK)
      4. object template mappings take place. One of the mapping assign organization with stronger password policy
      5. as a result, user is NOT saved:

              at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573) [quartz-2.2.3.jar:na]
      2017-01-17 08:51:23,808 [] [midPointScheduler_Worker-4] ERROR (com.evolveum.midpoint.model.impl.sync.SynchronizationServiceImpl): SYNCHRONIZATION: Error in synchronization on resource:10000000-9999-9999-0000-a000ff000001(ExAmPLE, Inc. HR Source) for situation UNMATCHED: PolicyViolationException: Provided password does not satisfy password policies. Required minimal size (10) of password is not met (password length: 8)
      . Change was ResourceObjectShadowChangeDescription(objectDelta=null, currentShadow=shadow:0e2f7361-20ee-4e2a-8615-1a64d3b7f165(000996), oldShadow=shadow:0e2f7361-20ee-4e2a-8615-1a64d3b7f165(000996), sourceChannel=http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#liveSync, resource=resource:10000000-9999-9999-0000-a000ff000001(ExAmPLE, Inc. HR Source))
      com.evolveum.midpoint.util.exception.PolicyViolationException: Provided password does not satisfy password policies. Required minimal size (10) of password is not met (password length: 8)
      
              at com.evolveum.midpoint.model.impl.lens.projector.PasswordPolicyProcessor.processPasswordPolicy(PasswordPolicyProcessor.java:192) ~[model-impl-3.5.1-SNAPSHOT.jar:na]
              at com.evolveum.midpoint.model.impl.lens.projector.PasswordPolicyProcessor.processPasswordPolicy(PasswordPolicyProcessor.java:169) ~[model-impl-3.5.1-SNAPSHOT.jar:na]
              at com.evolveum.midpoint.model.impl.lens.projector.CredentialsProcessor.processFocusPassword(CredentialsProcessor.java:107) ~[model-impl-3.5.1-SNAPSHOT.jar:na]
              at com.evolveum.midpoint.model.impl.lens.projector.CredentialsProcessor.processFocusCredentials(CredentialsProcessor.java:93) ~[model-impl-3.5.1-SNAPSHOT.jar:na]
              at com.evolveum.midpoint.model.impl.lens.projector.FocusProcessor.processFocusFocus(FocusProcessor.java:264) ~[model-impl-3.5.1-SNAPSHOT.jar:na]
              at com.evolveum.midpoint.model.impl.lens.projector.FocusProcessor.processFocus(FocusProcessor.java:163) ~[model-impl-3.5.1-SNAPSHOT.jar:na]
              at com.evolveum.midpoint.model.impl.lens.projector.Projector.projectInternal(Projector.java:214) ~[model-impl-3.5.1-SNAPSHOT.jar:na]
              at com.evolveum.midpoint.model.impl.lens.projector.Projector.project(Projector.java:112) ~[model-impl-3.5.1-SNAPSHOT.jar:na]
              at com.evolveum.midpoint.model.impl.lens.Clockwork.click(Clockwork.java:311) ~[model-impl-3.5.1-SNAPSHOT.jar:na]
              at com.evolveum.midpoint.model.impl.lens.Clockwork.run(Clockwork.java:221) ~[model-impl-3.5.1-SNAPSHOT.jar:na]
              at com.evolveum.midpoint.model.impl.sync.SynchronizationServiceImpl.reactToChange(SynchronizationServiceImpl.java:781) [model-impl-3.5.1-SNAPSHOT.jar:na]
              at com.evolveum.midpoint.model.impl.sync.SynchronizationServiceImpl.notifyChange(SynchronizationServiceImpl.java:309) [model-impl-3.5.1-SNAPSHOT.jar:na]
              at com.evolveum.midpoint.provisioning.impl.ChangeNotificationDispatcherImpl.notifyChange(ChangeNotificationDispatcherImpl.java:148) [provisioning-impl-3.5.1-SNAPSHOT.jar:na]
              at com.evolveum.midpoint.provisioning.impl.ShadowCache.notifyResourceObjectChangeListeners(ShadowCache.java:1406) [provisioning-impl-3.5.1-SNAPSHOT.jar:na]
              at com.evolveum.midpoint.provisioning.impl.ShadowCache.processSynchronization(ShadowCache.java:1365) [provisioning-impl-3.5.1-SNAPSHOT.jar:na]
              at com.evolveum.midpoint.provisioning.impl.ShadowCache.synchronize(ShadowCache.java:1301) [provisioning-impl-3.5.1-SNAPSHOT.jar:na]
              at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.synchronize(ProvisioningServiceImpl.java:426) [provisioning-impl-3.5.1-SNAPSHOT.jar:na]
              at com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler.runInternal(LiveSyncTaskHandler.java:197) [model-impl-3.5.1-SNAPSHOT.jar:na]
              at com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler.run(LiveSyncTaskHandler.java:84) [model-impl-3.5.1-SNAPSHOT.jar:na]
              at com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeHandler(JobExecutor.java:648) [task-quartz-impl-3.5.1-SNAPSHOT.jar:na]
              at com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeRecurrentTask(JobExecutor.java:528) [task-quartz-impl-3.5.1-SNAPSHOT.jar:na]
      

      I think the problem is that the inbound generates password, which is then validated by password policy (per org) different from the policy which generated it... Maybe the password should be generated after assignments? (At least an option how to do it?)

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              vix Ivan Noris
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: