This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LDAP: Suppress Password Provisioning for Users Imported by Initial Synchronization

Hello Forum

we want to import users from an existing LDAP into Identity Manager using the "Initial Synchronization" functionality. Later, attribute changes of imported users in Identity Manager should be provisioned to the same LDAP again.

Since we cannot obtain the user passwords stored on LDAP, the password attributes in Identity Manager will not be set after the sync. But the intention is to leave the passwords on LDAP untouched. However, although the password mapping from Identity Manager to LDAP is conditioned on LDAPAccount.UserPassword <> '', the provisioning of (non-password-)changes now raises a ConstraintViolation on "unicodePwd". As soon as we set the password in Identity Manager, the violaton disappears.

Is there a way to maintain the provisioning of attribute changes by ignoring the password attribute?

Thanks in advance

Matthias

  • Hi Matthias,

    You don't mention which version you are using but I am going to assume you are on V7 or higher given the contents of your post.

    Can you confirm the condition for password mapping ...... you have said LDAPAccount.UserPassword <> '' but in my system it is Left.UserPassword <> '' ?

    Have you changed the provided mapping for InetOrgPerson in any way or are you using it as supplied?

    Thanks, Barry.
  • Hi Barry

    thanks for the Reply. That's what I actually meant:
    - Left.UserPassword <> '' for UserPassword to vrtPassword , and
    - $DefaultPassword$ <> '' and Left.UserPassword = '' for vrtInitialPassword to vrtPassword

    However, even if I invalidate both rules by adding 'and 0=1' the ConstraintValidation gets thrown ...

    Whether the mapping was changed --- I cannot tell you in detail as I inherited the project from my predecessor --- some rules have definitely been added.

    Thanks a lot
    Matthias
  • Problem solved.

    Update: it turned out that the flow works OK with "Adhoc Provisioning" but not with explicit "Provisioning" from the Sync Editor. It seems that there is simply no way not touching the LDAP Password during explicit "Provisioning". Fine with me.