Oracle® Internet Directory Administrator's Guide 10g (9.0.4) Part Number B12118-01 |
|
Directory Storage of Password Verifiers, 3 of 4
Oracle Internet Directory stores a user's directory password in the userPassword
attribute. You can protect this password by storing it as a Base64 encoded string of a one-way hashed value by using one of Oracle Internet Directory's supported hashing algorithms. Storing passwords as one-way hashed values--rather than as encrypted values--more fully secures them because a malicious user can neither read nor decrypt them.
Beginning with Release 9.0.4, Oracle Internet Directory stores the user password in a reversible encrypted format in an operational attribute called orclrevpwd
. This attribute is generated only if the attribute orclpwdencryptionenable
in the password policy entry is set to TRUE
. The orclrevpwd
attribute can be queried only by using the SSL one-way and two-way authentication mechanisms. This attribute cannot be queried over non-SSL sessions.
This section contains these topics:
During authentication to a directory server, clients supply a password to the directory server in clear text. The directory server hashes this password by using the hashing algorithm specified in the attribute userpassword
. It then verifies it against the hashed password stored in the binding entry's userPassword
attribute. If the hashed password values match, then the server authenticates the user. If they do not match, then the server sends the user an "Invalid Credentials" error message.
During installation, Oracle Universal Installer prompts you to set the one-way hashing scheme for protecting user passwords to the directory. It presents you with these options:
The hashing algorithm value you specify at installation is stored in the orclCryptoScheme
attribute in the root DSE. You can change that value by using either Oracle Directory Manager or ldapmodify.
You must be a super user to manage password protection by using Oracle Directory Manager.
To change the type of password protection by using Oracle Directory Manager:
The following example changes the password hashing algorithm to SHA by using an LDIF file named my_ldif_file
:
ldapmodify -D cn=orcladmin -w welcome -h myhost -p 389 -v -f my_ldif_file
The LDIF file, my_ldif_file
, contains:
dn: changetype: modify replace: orclcryptoscheme orclcryptoscheme: SHA
|
![]() Copyright © 1999, 2003 Oracle Corporation. All Rights Reserved. |
|