Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
tutorial:adm:password_provisioning [2018/11/16 11:45] kopro [Password provisioning] |
tutorial:adm:password_provisioning [2019/11/08 07:59] doischert |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Password provisioning ====== | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | Connects which support changing user's password (table, ad, ldap, ...) it is possible to provision passwords. Each of these connectors has special settings for password attribute. Eq.: | ||
+ | |||
+ | After you choose the password attribute and generate the schema for the system, it is possible to **create** mapping for password. Main password attribute can be mapped as the **\_\_PASSWORD\_\_** attribute. | ||
+ | |||
+ | Main password attribute (\_\_PASSWORD\_\_) is sent to end system only with uid, all attributes including another attributes marked as password will be sent in a separate provisioning operation. If application property (// | ||
+ | |||
+ | All password attributes will be transformed using transformation scripts before provisioning to the end system. The transformation scripts must return **GuardedString** or **null**, all another object throw exception. All transformation scripts obtain password in **attributeValue**. For transformation script, the classic rules for check security etc. will be applied . | ||
+ | |||
+ | <note tip> | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | ===== Passwords and transformation ===== | ||
+ | The transformations of password will be applied in these situations: | ||
+ | |||
+ | ==== Password change ==== | ||
+ | User changes his password for accounts (doesn' | ||
+ | |||
+ | If the script for transforming password/s contains errors it will throw an exception which **is not stored** in the provisioning operation queue. | ||
+ | |||
+ | ==== Creating a new account and generating password ==== | ||
+ | |||
+ | When the administrator or an automated process adds a role with a mapped system to the user and the mapping for the system contains password attributes, new password will be generated and this password will be transformed by each script in password attributes. The same password will be sent to all scripts. | ||
+ | |||
+ | <note tip> | ||
+ | |||
+ | The password is generated by a password policy for generating password that is selected for the system. If system contains no password policy for generating passwords, the password will be generated by the CzechIdM default password policy. If even default password policy doesn' | ||
+ | |||
+ | ===== Attribute Password in schema (__PASSWORD__) ===== | ||
+ | |||
+ | <note tip>If the attribute __PASSWORD__ is missing, you must create this attribute manually.</ | ||
+ | |||
+ | {{: | ||
+ | |||
+ | * **Name:** \_\_PASSWORD\_\_ | ||
+ | * **Data type:** eu.bcvsolutions.idm.core.security.api.domain.GuardedString | ||
+ | * **Able to create:** true | ||
+ | * **Able to edit:** true | ||
+ | * **Able to read:** true | ||