How to Exclude Passwords from Directory Updates

Problem:   

Some directories, such as Active Directory, will reject LDAP updates for a user record that contains a password that hasn't changed.   So how do we exclude the password from being sent to the directory on an update event unless it is changed?
 

Answer:

ideiio Connect does not keep the state of the user fields so it can't tell what has changed.   Most directories won't return a user's password, so we can't compare the incoming password with what is in the directory.  
 
They way to handle this issue is to have ideiio lifecycle tell the ideiio Connect what fields to exclude on the update operation.  
 
If you create a new text custom field, and apply a Lua transform to it, like:
if identity.form('password') == identity.original('password') then
  log.debug('Password not changed')
   return "userPassword, unicodePwd;binary, password, passwordProfile.password, usageLocation"
end
if identity.form('password') == "" then
  log.debug('Password not changed as blank')
   return "userPassword, unicodePwd;binary, password, passwordProfile.password, usageLocation"
end

return ''
That example is for Azure and AD, so you will need to return the name of the password attribute for your resource.Then in the bridge write map:
"__exclusions_on_update__": "${urn:scim:schemas:com_ideiio_custom:1.0:YourNewCustomField}"
That'll make it exclude the password attribute if it was a non-password update to the user. 

Was this article helpful?

/

Comments

0 comments

Please sign in to leave a comment.