Bulk password generation HOWTO

Last modified 12 Nov 2021 16:57 +01:00

Since 3.6

This functionality is available since version 3.6.

Since 3.6 it is possible to generate user passwords via bulk actions (a.k.a. midPoint scripting).

You can use e.g. the following bulk action code to do that:

generate-passwords.xml: bulk action that generates passwords for specified users

<s:executeScript xmlns:s="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"
                 xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                 xmlns:api="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3">
    <s:pipeline>
        <s:search>
            <s:type>ObjectType</s:type>
            <s:searchFilter>
                <q:inOid xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
                    <q:value>b87eb285-b4ae-43c0-9e4c-7ba651de81fa</q:value>  <!-- barkeeper -->
                    <q:value>469fd663-4492-4c24-8ce3-3907df7ac7ec</q:value>  <!-- bob -->
                    <q:value>f9be8006-fd58-43f9-99ff-311935d9d3d3</q:value>  <!-- carla -->
                    <q:value>b2a3f4ad-ad7b-4691-83d9-34d5ebb50a04</q:value>  <!-- cheese -->
                    <q:value>60dd9e6b-7403-4075-bcfa-d4566a552d41</q:value>  <!-- chef -->
                </q:inOid>
            </s:searchFilter>
        </s:search>
        <s:action>
            <s:type>generate-value</s:type>
            <s:parameter>
                <s:name>items</s:name>
                <c:value xsi:type="api:PolicyItemsDefinitionType">
                    <api:policyItemDefinition>
                        <api:target>
                            <api:path>credentials/password/value</api:path>
                        </api:target>
                        <api:execute>true</api:execute>
                    </api:policyItemDefinition>
                </c:value>
            </s:parameter>
        </s:action>
        <s:filterContent>
            <s:keep>name</s:keep>
            <s:keep>credentials/password/value</s:keep>
        </s:filterContent>
    </s:pipeline>
    <s:options>
        <s:continueOnAnyError>true</s:continueOnAnyError>
    </s:options>
</s:executeScript>

Property api:execute with the value of true causes midPoint to update user objects with the newly generated passwords (besides returning these passwords as part of the output data).

For complete reference, please see the description of the generate-value action.

So, for example, when this bulk action is invoked via REST interface, like this (generate-passwords.xml is the file containing the XML code shown above):

Invoking bulk action via REST

curl.exe --user administrator:5ecr3t -H "Content-Type: application/xml" -X POST http://localhost:8080/midpoint/ws/rest/rpc/executeScript -d @generate-passwords.xml

The result is the following:

Result of password-generating bulk action execution

<t:object xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
          xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:type="apti:ExecuteScriptResponseType">
   <apti:output xmlns:s="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3">
      <s:dataOutput>
         <s:item>
            <s:value oid="469fd663-4492-4c24-8ce3-3907df7ac7ec" version="17" xsi:type="c:UserType">
               <name xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">bob</name>
               <credentials xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
                  <password>
                     <value>
                        <t:clearValue>mvQLW</t:clearValue>
                     </value>
                  </password>
               </credentials>
            </s:value>
            <s:result>
               <operation xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">com.evolveum.midpoint.model.impl.scripting.ScriptingExpressionEvaluator.process</operation>
               <status xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">success</status>
               ...
            </s:result>
         </s:item>
         <s:item>
            <s:value oid="60dd9e6b-7403-4075-bcfa-d4566a552d41" version="8" xsi:type="c:UserType">
               <name xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">chef</name>
               <credentials xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
                  <password>
                     <value>
                        <t:clearValue>Q9aMy</t:clearValue>
                     </value>
                  </password>
               </credentials>
            </s:value>
            <s:result>
               <operation xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">com.evolveum.midpoint.model.impl.scripting.ScriptingExpressionEvaluator.process</operation>
               <status xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">success</status>
               ...
            </s:result>
         </s:item>
         ...
      </s:dataOutput>
      <s:consoleOutput>Generated value(s) for user:469fd663-4492-4c24-8ce3-3907df7ac7ec(bob)
Generated value(s) for user:60dd9e6b-7403-4075-bcfa-d4566a552d41(chef)
Generated value(s) for user:b2a3f4ad-ad7b-4691-83d9-34d5ebb50a04(cheese)
Generated value(s) for user:b87eb285-b4ae-43c0-9e4c-7ba651de81fa(barkeeper)
Generated value(s) for user:f9be8006-fd58-43f9-99ff-311935d9d3d3(carla)
</s:consoleOutput>
   </apti:output>
   <apti:result>
      <operation xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">com.evolveum.midpoint.model.impl.ModelRestService.executeScript</operation>
      <status xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">success</status>
      ...
   </apti:result>
</t:object>

It is also possible to specify an explicit input in bulk action call. So, the above case could be written like this:

Generating passwords (using explicit input)

<s:executeScript xmlns:s="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"
                 xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                 xmlns:api="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3">
    <s:pipeline>
        <s:action>
            <s:type>resolve</s:type>        <!-- resolves references to real objects -->
        </s:action>
        <s:action>
            <s:type>generate-value</s:type>
            <s:parameter>
                <s:name>items</s:name>
                <c:value xsi:type="api:PolicyItemsDefinitionType">
                    <api:policyItemDefinition>
                        <api:target>
                            <api:path>credentials/password/value</api:path>
                        </api:target>
                        <api:execute>true</api:execute>
                    </api:policyItemDefinition>
                </c:value>
            </s:parameter>
        </s:action>
        <s:filterContent>
            <s:keep>name</s:keep>
            <s:keep>credentials/password/value</s:keep>     <!-- removes everything except OID, name and password -->
        </s:filterContent>
    </s:pipeline>
    <s:input>
        <s:value xsi:type="c:ObjectReferenceType" oid="00000000-0000-0000-0000-000000000002" type="UserType"/> <!-- administrator -->
        <s:value xsi:type="c:ObjectReferenceType" oid="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" type="UserType"/> <!-- invalid OID -->
        <s:value xsi:type="c:ObjectReferenceType" oid="c0c010c0-d34d-b33f-f00d-111111111116" type="UserType"/> <!-- guybrush -->
        <s:value xsi:type="c:ObjectReferenceType" oid="c0c010c0-d34d-b33f-f00d-11111111111e" type="UserType"/> <!-- elaine -->
    </s:input>
    <s:options>
        <s:continueOnAnyError>true</s:continueOnAnyError>
    </s:options>
</s:executeScript>

(Note the invalid OID among data. It is used to illustrate failures in processing.)

In this case we can see also the failures in the bulk action output:

Output from the bulk action

<t:object xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
          xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:type="apti:ExecuteScriptResponseType">
   <apti:output xmlns:s="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3">
      <s:dataOutput>
         <s:item>
            <s:value oid="00000000-0000-0000-0000-000000000002" version="159" xsi:type="c:UserType">
               <name xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">administrator</name>
               <credentials xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
                  <password>
                     <value>
                        <t:clearValue>zQXCz</t:clearValue>
                     </value>
                  </password>
               </credentials>
            </s:value>
            <s:result>
               <operation xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">com.evolveum.midpoint.model.impl.scripting.ScriptingExpressionEvaluator.process</operation>
               <status xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">success</status>
               ...
            </s:result>
         </s:item>
         <s:item>
            <s:value oid="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" type="c:UserType"/>
            <s:result>
               <operation xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">com.evolveum.midpoint.model.impl.scripting.ScriptingExpressionEvaluator.process</operation>
               <status xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">fatal_error</status>
               <message xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">Object of type 'UserType' with oid 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX' was not found.</message>
               ...
            </s:result>
         </s:item>
         ...
      </s:dataOutput>
      <s:consoleOutput>Generated value(s) for user:00000000-0000-0000-0000-000000000002(administrator)
...
</s:consoleOutput>
   </apti:output>
   <apti:result>
      <operation xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">com.evolveum.midpoint.model.impl.ModelRestService.executeScript</operation>
      <status xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">fatal_error</status>
      ...
   </apti:result>
</t:object>

The ability to specify input in this way is new in midPoint 3.6. It should be considered an experimental feature until fully tested.

Was this page helpful?

YES NO

Thanks for your feedback