Hashing the password on the client side (using Jasypt) helped. Looks like i can look at unboundID as suggested to do the password modify extended operation. I dont know how to do this using the javax.naming package. unboundid SDK looks easier. Thanks!!
On Tue, Apr 9, 2013 at 12:29 PM, Michael Ströder <[email protected]>wrote: > Derryl Varghese wrote: > > I am setting up openLDAP for one of my Java applications. Usernames and > > passwords are stored in openLDAP and users are able to update their > passwords > > via the application (using the javax.naming.directory API'). I imported > our > > users from our existing Sun Directory Server into openLDAP. Import was > > successfull and passwords were encrypted in SSHA format. I noticed that > when i > > update a password from the application, it stores it in 'Plain Text' > format. I > > can unhide the password when i view it via Apache Directory Studio. A > lot of > > googling later, i tried setting the "password-hash {SSHA}" in the > slapd.conf > > file and that didn't help me either. I am on a windows environment. I am > > passing the password to openLDAP in plain text format. There is no > encryption > > going on in the code. I know i can encrypt it in the application but i > would > > prefer openLDAP to do it for me. Please let me know if i can do anything > on > > the openLDAP side. > > > > This is the JAVA code i use today to modify passwords. This has been > working > > fine in our existing environment for the past 7 years. > > > > |ModificationItem[] newAttribs = new ModificationItem[1]; > > Attribute passwordAttrib = new > BasicAttribute(DirectoryConstants.USER_PASSWORD, password); > > ModificationItem passwordItem = new > ModificationItem(DirContext.REPLACE_ATTRIBUTE, passwordAttrib); > > newAttribs[0] = passwordItem; > > > > ..... > > DirContext ctx = this.getContext(); > > ctx.modifyAttributes( DirectoryConstants.USER_UID + "=" + userId + "," + > ou, newAttribs);| > > If you send a clear-text password value when modifying 'userPassword' it > will > be clear-text. > > Several solutions: > > 1. Set "password-hash {SSHA}" in the slapd.conf and change password via > LDAP > Modify Extended Operation (RFC 3062). > > 2. Generate hashed userPassword value at the client side. > > 3. Use overlay slapo-ppolicy and set ppolicy_hash_cleartext (but read > warnings > in man page before). > > Ciao, Michael. > >
