[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openLDAP storing passwords in plain text



On 04/09/13 09:07 -0400, Derryl Varghese wrote:
I am setting up openLDAP for one of my Java applications. Usernames and
passwords are stored in openLDAP and users are able to update their
passwords via the application (using the javax.naming.directory API'). I
imported our users from our existing Sun Directory Server into openLDAP.
Import was successfull and passwords were encrypted in SSHA format. I
noticed that when i update a password from the application, it stores it in
'Plain Text' format. I can unhide the password when i view it via Apache
Directory Studio. A lot of googling later, i tried setting the
"password-hash {SSHA}" in the slapd.conf file and that didn't help me
either. I am on a windows environment. I am passing the password to
openLDAP in plain text format. There is no encryption going on in the code.
I know i can encrypt it in the application but i would prefer openLDAP to
do it for me. Please let me know if i can do anything on the openLDAP side.

This is the JAVA code i use today to modify passwords. This has been
working fine in our existing environment for the past 7 years.

ModificationItem[] newAttribs = new ModificationItem[1];
Attribute passwordAttrib = new
BasicAttribute(DirectoryConstants.USER_PASSWORD, password);
ModificationItem passwordItem = new
ModificationItem(DirContext.REPLACE_ATTRIBUTE, passwordAttrib);
newAttribs[0] = passwordItem;

.....
DirContext ctx = this.getContext();
ctx.modifyAttributes( DirectoryConstants.USER_UID + "=" + userId + ","
+ ou, newAttribs);

If your application supports the password extended operation, slapd will
hash passwords on the fly according to your password-hash configuration.

See slapo-ppolicy(5) and slapo-constraint(5) for ways to restrict what can
be written. With slapd.access(5) you can restrict a user's ability to
read the userPassword attribute.

--
Dan White