Password Encryption and Verification

The way in which passwords are encrypted and checked depends on the type of data view through which the client accesses the data source. For information about data views, see Chapter 22, Directory Proxy Server LDAP Data Views and Chapter 23, Virtual Data Views.

For LDAP data views, Directory Proxy Server relies on the backend LDAP server for password encryption and verification. When a client modifies a password by using an ADD or MODIFY operation, the backend LDAP server can apply a password encryption policy when it stores the password. When the client issues a BIND request, the backend LDAP server is responsible for verifying the password.

For LDIF and JDBC data views, Directory Proxy Server is responsible for password encryption and verification. When a client modifies a password, Directory Proxy Server applies the encryption policy defined by the db-pwd-encryption property of the data view. The encryption policy can be PLAIN, SHA, or SSHA. The password is still stored in the data source (that is, in the LDIF file or the JDBC repository).

When encrypted passwords are stored, the encrypted value is prefixed by the encryption policy. So for example, a stored, encrypted password might look like {SSHA}mcasopjebjakiue or {SHA}askjdlaijfbnja. When the client issues a BIND request, Directory Proxy Server verifies the password and expects the encryption policy tag.