18 Jul 2013

How to store user password only on external resources with Apache Syncope

Written by mdisabatino

Today we see how to create a user without saving the password in the Apache Syncope repository. The user password will be stored only on Active Directory.

Use Case: Created users on Apache Syncope who have AD as assigned resource, can authenticate to the console using the external provisioned password. Apache Syncope console use a NTLMv2 filter for authentication. This filter performs an NTLMv2 authentication with the browser client. After successful authentication, a HTTP session is created and access to the Apache Syncope console is granted.

To do this, we have modified some classes:

1) org.apache.syncope.core.persistence.beans.user.SyncopeUser

 @Column(nullable = true)
              private String password; 

2) org.apache.syncope.core.persistence.dao.impl.UserDAOImpl

public SyncopeUser save(final SyncopeUser user) {
              user.setPassword(null, CipherAlgorithm.SHA256, 0);

3) org.apache.syncope.console.pages.panels.StatusPanel

final Check check = new Check("check", item.getModel(), checkGroup);
              "Syncope".equals(item.getModelObject().getResourceName()) ? false : checkVisibility);

In the StatusPanel, CheckBox for Syncope is disabled.


See you soon


« Return