By: Victor Zakharenko user 31 Oct 2019 at 4 a.m. CDT

7 Responses
Victor Zakharenko gravatar
Any request to change a user through PATCH or PUT, without explicitly specifying a password, makes the previously set password "invalid". use https://gluu.org/docs/ce/4.0/api-guide/scim-api/#put I want to implement an interface for editing users. I did not find other information than using SCIM v2

By Jose Gonzalez staff 31 Oct 2019 at 3:59 p.m. CDT

Jose Gonzalez gravatar
Hi, Can you elaborate more on this please? It is not clear what you mean by "invalid". If you share with us some example we may offer better assistance.

By Victor Zakharenko user 31 Oct 2019 at 4:38 p.m. CDT

Victor Zakharenko gravatar
I created a user "UserExample" with a password "123456". POST scim/v2/Users ```json { "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ], "password": "123456", "userName": "UserExample", "roles": [ { "value": "data_collection", "type": "operator" } ] } ``` Response ```json { "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ], "id": "44a6f912-a58d-4103-a8f2-867ddf794b3b", "meta": { "resourceType": "User", "created": "2019-10-31T21:31:37.980Z", "lastModified": "2019-10-31T21:31:37.980Z", "location": "https://sso.local/identity/restv1/scim/v2/Users/44a6f912-a58d-4103-a8f2-867ddf794b3b" }, "userName": "UserExample", "roles": [ { "value": "data_collection", "type": "operator" } ] } ``` Try get access-token use password "123456", fine, work. After, I decided to change the user’s name, lastname, role. PUT scim/v2/Users/44a6f912-a58d-4103-a8f2-867ddf794b3b ```json { "name": { "familyName": "LasNameExampleUser", "givenName": "FirstNameExampleUser" }, "active": true, "roles": [ { "value": "data_collection", "type": "operator" }, { "value": "management_processes", "type": "operator" } ] } ``` Response ```json { "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ], "id": "44a6f912-a58d-4103-a8f2-867ddf794b3b", "meta": { "resourceType": "User", "created": "2019-10-31T21:31:37.980Z", "lastModified": "2019-10-31T21:34:52.543Z", "location": "https://sso.local/identity/restv1/scim/v2/Users/44a6f912-a58d-4103-a8f2-867ddf794b3b" }, "userName": "UserExample", "name": { "familyName": "LasNameExampleUser", "givenName": "FirstNameExampleUser", "formatted": "FirstNameExampleUser LasNameExampleUser" }, "active": true, "roles": [ { "value": "data_collection", "type": "operator" }, { "value": "management_processes", "type": "operator" } ] } ``` After sending the request, the password is "123456" does not work anymore. **!!! now I need to reassign the password** PUT scim/v2/Users/44a6f912-a58d-4103-a8f2-867ddf794b3b ```json { "password": "123456" } ```

By Jose Gonzalez staff 31 Oct 2019 at 5:11 p.m. CDT

Jose Gonzalez gravatar
Hi, Sorry to reply with another question again but I would like to ensure there is not a conceptual misunderstanding here: > After sending the request, the password is "123456" does not work anymore so you are trying to log into an application with the user previously created and it does not let you in? or what do you exactly mean when you say "password does not work"? Do the following please: - Create a user via scim - log into chroot (eg. `sudo gluu-serverd login`) - execute `/opt/opendj/bin/ldapsearch -h localhost -p 1636 -D "cn=directory manager" -w SECRET -ZX -b 'ou=people,o=gluu' -s one "&(objectclass=gluuPerson)(uid=UID)" userPassword ` replacing SECRET with your admin password and UID with the userName of the user created (eg. UserExample). No need for quotes (`"`) - run the PUT request to modify the user just created - execute the `ldapsearch` again Do you notice a difference in the `userPassword` ?

By Victor Zakharenko user 31 Oct 2019 at 6:54 p.m. CDT

Victor Zakharenko gravatar
> so you are trying to log into an application with the user previously created and it does not let you in? or what do you exactly mean when you say "password does not work"? Right! before change output ``` dn: inum=56c86087-a444-4f0a-873f-85858201c919,ou=people,o=gluu userPassword: {SSHA512}d6TkakrtI0GiYJT82BLhXb8IFXAckk14EB2u+GcMgNVuDLLYWFa3Z2RebCBqmMBME+WGyjmNrY9pczVly+PeNaMRKkr2qjlX ``` after change output ``` dn: inum=56c86087-a444-4f0a-873f-85858201c919,ou=people,o=gluu ``` password gone! I also found a similar problem (as it seems to me), but sending to json null does not lead to anyone, since according to the scheme null will be ignored. https://support.gluu.org/other/5291/scim-client-updateuser-is-causing-a-password-reset/

By Jose Gonzalez staff 31 Oct 2019 at 7:48 p.m. CDT

Jose Gonzalez gravatar
I was able to replicate. It is definitely a bug, I opened an [issue](https://github.com/GluuFederation/oxTrust/issues/1869) to keep track of this. Sorry for the inconvenience. We'll deliver a fix soon. I'll update here.

By Victor Zakharenko user 01 Nov 2019 at 3:25 a.m. CDT

Victor Zakharenko gravatar
@Jose.Gonzalez Thank! Will wait.

By Jose Gonzalez staff 01 Nov 2019 at 2 p.m. CDT

Jose Gonzalez gravatar
Victor, The fix will be included in CE 4.0.1. It will take a couple of weeks to be released so If you'd like to patch your server now (manually), here is how to do so: - login to chroot - cd to `/opt/gluu/jetty/identity/webapps` - backup oxtrust: `cp identity.war /root ` - stop it: `systemctl stop identity` - download war with bug fix: `wget https://ox.gluu.org/maven/org/gluu/oxtrust-server/4.0.1.Final/oxtrust-server-4.0.1.Final.war` - replace war: `mv oxtrust-server-4.0.1.Final.war identity.war` - start identity: `systemctl start identity` Wait a couple of minutes and test. Should be good now. Let us know...