accesscontroltool icon indicating copy to clipboard operation
accesscontroltool copied to clipboard
verified publisher icon Netcentric

For flag DumpService.includeUsers export contains only system users

Open tlocwin opened this issue 8 years ago • 5 comments

Hello @ghenzler ,

While testing this tool for my migration found bug in AC Tool that once i set flag for

DumpService.includeUsers

in

/system/console/configMgr/biz.netcentric.cq.tools.actool.dumpservice.impl.DumpServiceImpl

export/dump contains only system users, but i'm expecting that dump will contains all users and passwords.

Thanks Tomek

tlocwin avatar Jul 26 '17 14:07 tlocwin

Hi Tomek,

in theory we could easily add a property that would also dump regular users. The problem is that this would include passwords in plain text if implemented naively. Usually the PWs are in LDAP or even SSO is used for our projects, but if AEM is the main source for users, the users will have "production passwords" configured. On the other hand, if AEM is not the main source for users, there is not much point for this feature since non-existing users are created on the fly anway for the LDAP/SAML case.

How would you deal with Passwords here?

ghenzler avatar Nov 24 '17 15:11 ghenzler

Hi @ghenzler,

Basically idea behind of using this feature is for cloning or migrating instances but honestly i dont want to use plain password at all because for each case expecting that YAML file will contains user password hash. In this case any export & import round trip would ONLY work if the etc/key (crypto key) is consistent between instances source and target which resulting that target instance will be able to decrypt migrated/imported password.

Regards, Tomek

tlocwin avatar Nov 24 '17 15:11 tlocwin

Hi Georg,

it could be configurable, with plain passwords and password hash. At first, a Dump with just plain password is enough for us. Also all other props (ex. isSystemUser) must be also included.

Some biggest clients still don't use LDAP and create users directly in AEM. We need Dump with Users for migration, inclusive all user props and membership.

The result YAML will be updated after that.

Best regards, Marat

mtstv avatar Feb 09 '18 14:02 mtstv

I personally would only implement the password hash - master key management needs to be in place anyway (e.g. for cloud config passwords). Since #251 we have the dependency to cryptoService, so it should be straight forward to implement.

ghenzler avatar Feb 09 '18 16:02 ghenzler

Hi Georg, We have a similar case with our big service. There is no LDAP integration, and it is a bit chaotic when something goes wrong with the instance and we need to restore from another source, losing all credentials from the current instance. To be able to export users with password hash or not is a big necessity in our project.

daviwall avatar Sep 10 '19 08:09 daviwall