IdStory Identity Manager

When I display the account on a system agenda, e.g. https://172.31.255.123/idm/#/system/f007c3d4-5e50-49ce-8fd2-09564b7afcb3/accounts and I click a user, I can get to the value of userPassword attribute:

userPassword  e1NIQX0wRFBpS3VOSXJyVm1EOElVQ3V3MWhReE5xWmM9

Fortunately, it is a hash, but (as you can see here) it is only SHA so not really a strong one. The target system is some OpenLDAP connected with LDAP connector. Given some more funky target system (as some custom-tailored / archaic systems tend to be) there is a risk that IdM would be able to display user passwords through the account agenda.

Problem is that although connector does not return confidential attribute __PASSWORD__ (which comes from mapping), it still returns userPassword (which comes from schema). IdM loads accounts from target system using system schema.
In the above example, the userPassword attribute has those two settings enabled: "returned by default", "can be read". Changing their setting does not affect reported behavior in any way.

As per our discussion with @svandav , please make it so:

• When reading data from connector into IdM, filter out schema attribute values when they are not "returned by default" so they do not propagate further.
• Alternatively, filter them in such a way that they at least do not propagate to FE.

There was a brief discussion on slack regarding this (link below).