Derryl Varghese wrote:
> I am setting up openLDAP for one of my Java applications. Usernames and
> passwords are stored in openLDAP and users are able to update their passwords
> via the application (using the javax.naming.directory API'). I imported our
> users from our existing Sun Directory Server into openLDAP. Import was
> successfull and passwords were encrypted in SSHA format. I noticed that when i
> update a password from the application, it stores it in 'Plain Text' format. I
> can unhide the password when i view it via Apache Directory Studio. A lot of
> googling later, i tried setting the "password-hash {SSHA}" in the slapd.conf
> file and that didn't help me either. I am on a windows environment. I am
> passing the password to openLDAP in plain text format. There is no encryption
> going on in the code. I know i can encrypt it in the application but i would
> prefer openLDAP to do it for me. Please let me know if i can do anything on
> the openLDAP side.
>
> This is the JAVA code i use today to modify passwords. This has been working
> fine in our existing environment for the past 7 years.
>
> |ModificationItem[] newAttribs = new ModificationItem[1];
> Attribute passwordAttrib = new BasicAttribute(DirectoryConstants.USER_PASSWORD, password);
> ModificationItem passwordItem = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, passwordAttrib);
> newAttribs[0] = passwordItem;
>
> .....
> DirContext ctx = this.getContext();
> ctx.modifyAttributes( DirectoryConstants.USER_UID + "=" + userId + "," + ou, newAttribs);|
If you send a clear-text password value when modifying 'userPassword' it will
be clear-text.
Several solutions:
1. Set "password-hash {SSHA}" in the slapd.conf and change password via LDAP
Modify Extended Operation (RFC 3062).
2. Generate hashed userPassword value at the client side.
3. Use overlay slapo-ppolicy and set ppolicy_hash_cleartext (but read warnings
in man page before).
Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature