On 04/09/13 09:07 -0400, Derryl Varghese wrote: > I am setting up openLDAP for one of my Java applications. Usernames and > passwords are stored in openLDAP and users are able to update their > passwords via the application (using the javax.naming.directory API'). I > imported our users from our existing Sun Directory Server into openLDAP. > Import was successfull and passwords were encrypted in SSHA format. I > noticed that when i update a password from the application, it stores it > in 'Plain Text' format. I can unhide the password when i view it via > Apache Directory Studio. A lot of googling later, i tried setting the > "password-hash {SSHA}" in the slapd.conf file and that didn't help me > either. I am on a windows environment. I am passing the password to > openLDAP in plain text format. There is no encryption going on in the > code. I know i can encrypt it in the application but i would prefer > openLDAP to do it for me. Please let me know if i can do anything on the > openLDAP side. > > This is the JAVA code i use today to modify passwords. This has been > working fine in our existing environment for the past 7 years. > > ModificationItem[] newAttribs = new ModificationItem[1]; > Attribute passwordAttrib = new > BasicAttribute(DirectoryConstants.USER_PASSWORD, password); > ModificationItem passwordItem = new > ModificationItem(DirContext.REPLACE_ATTRIBUTE, passwordAttrib); > newAttribs[0] = passwordItem; > > ..... > DirContext ctx = this.getContext(); > ctx.modifyAttributes( DirectoryConstants.USER_UID + "=" + userId + "," > + ou, newAttribs); If your application supports the password extended operation, slapd will hash passwords on the fly according to your password-hash configuration.

Derryl Varghese wrote: > I am setting up openLDAP for one of my Java applications. Usernames and > passwords are stored in openLDAP and users are able to update their passwords > via the application (using the javax.naming.directory API'). I imported our > users from our existing Sun Directory Server into openLDAP. Import was > successfull and passwords were encrypted in SSHA format. I noticed that when i > update a password from the application, it stores it in 'Plain Text' format. I > can unhide the password when i view it via Apache Directory Studio. A lot of > googling later, i tried setting the "password-hash {SSHA}" in the slapd.conf > file and that didn't help me either. I am on a windows environment. I am > passing the password to openLDAP in plain text format. There is no encryption > going on in the code. I know i can encrypt it in the application but i would > prefer openLDAP to do it for me. Please let me know if i can do anything on > the openLDAP side. > > This is the JAVA code i use today to modify passwords. This has been working > fine in our existing environment for the past 7 years. > > |ModificationItem[] newAttribs = new ModificationItem[1]; > Attribute passwordAttrib = new BasicAttribute(DirectoryConstants.USER_PASSWORD, password); > ModificationItem passwordItem = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, passwordAttrib); > newAttribs[0] = passwordItem; > > ..... > DirContext ctx = this.getContext(); > ctx.modifyAttributes( DirectoryConstants.USER_UID + "=" + userId + "," + ou, newAttribs);| If you send a clear-text password value when modifying 'userPassword' it will be clear-text. Several solutions: 1. Set "password-hash {SSHA}" in the slapd.conf and change password via LDAP Modify Extended Operation (RFC 3062). 2. Generate hashed userPassword value at the client side. 3. Use overlay slapo-ppolicy and set ppolicy_hash_cleartext (but read warnings in man page before). Ciao, Michael.