On 04/09/13 09:07 -0400, Derryl Varghese wrote:
I am setting up openLDAP for one of my Java applications. Usernames and passwords are stored in openLDAP and users are able to update their passwords via the application (using the javax.naming.directory API'). I imported our users from our existing Sun Directory Server into openLDAP. Import was successfull and passwords were encrypted in SSHA format. I noticed that when i update a password from the application, it stores it in 'Plain Text' format. I can unhide the password when i view it via Apache Directory Studio. A lot of googling later, i tried setting the "password-hash {SSHA}" in the slapd.conf file and that didn't help me either. I am on a windows environment. I am passing the password to openLDAP in plain text format. There is no encryption going on in the code. I know i can encrypt it in the application but i would prefer openLDAP to do it for me. Please let me know if i can do anything on the openLDAP side.
This is the JAVA code i use today to modify passwords. This has been working fine in our existing environment for the past 7 years.
ModificationItem[] newAttribs = new ModificationItem[1]; Attribute passwordAttrib = new BasicAttribute(DirectoryConstants.USER_PASSWORD, password); ModificationItem passwordItem = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, passwordAttrib); newAttribs[0] = passwordItem;
..... DirContext ctx = this.getContext(); ctx.modifyAttributes( DirectoryConstants.USER_UID + "=" + userId + ","
- ou, newAttribs);
If your application supports the password extended operation, slapd will hash passwords on the fly according to your password-hash configuration.
See slapo-ppolicy(5) and slapo-constraint(5) for ways to restrict what can be written. With slapd.access(5) you can restrict a user's ability to read the userPassword attribute.