Derryl Varghese wrote: > I am setting up openLDAP for one of my Java applications. Usernames and > passwords are stored in openLDAP and users are able to update their passwords > via the application (using the javax.naming.directory API'). I imported our > users from our existing Sun Directory Server into openLDAP. Import was > successfull and passwords were encrypted in SSHA format. I noticed that when i > update a password from the application, it stores it in 'Plain Text' format. I > can unhide the password when i view it via Apache Directory Studio. A lot of > googling later, i tried setting the "password-hash {SSHA}" in the slapd.conf > file and that didn't help me either. I am on a windows environment. I am > passing the password to openLDAP in plain text format. There is no encryption > going on in the code. I know i can encrypt it in the application but i would > prefer openLDAP to do it for me. Please let me know if i can do anything on > the openLDAP side. > > This is the JAVA code i use today to modify passwords. This has been working > fine in our existing environment for the past 7 years. > > |ModificationItem[] newAttribs = new ModificationItem[1]; > Attribute passwordAttrib = new BasicAttribute(DirectoryConstants.USER_PASSWORD, password); > ModificationItem passwordItem = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, passwordAttrib); > newAttribs[0] = passwordItem; > > ..... > DirContext ctx = this.getContext(); > ctx.modifyAttributes( DirectoryConstants.USER_UID + "=" + userId + "," + ou, newAttribs);| If you send a clear-text password value when modifying 'userPassword' it will be clear-text. Several solutions: 1. Set "password-hash {SSHA}" in the slapd.conf and change password via LDAP Modify Extended Operation (RFC 3062). 2. Generate hashed userPassword value at the client side. 3. Use overlay slapo-ppolicy and set ppolicy_hash_cleartext (but read warnings in man page before). Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature