Overview

Directory Server allows password changes to be processed by third parties through its public plug-in API. A custom plug-in, Password Capture plug-in, was developed to capture password changes in Directory Server.

The responsibilities of the Password Capture plug-in include:

• Intercepting password changes during LDAP ADD and MODIFY operations.

• Encrypting the new password value with a shared secret.

• Augmenting the original LDAP operation with a special attribute/value pair, idmpasswd, where the value is the encrypted password value.

The Directory Server Retro Changelog plug-in must be installed on the directory server before the Password Capture plug-in can be implemented. The Retro Changelog plug-in records changes to the idmpasswd attribute in the changelog database after the operation is executed by the directory server core.

The LDAP resource adapter with Active Sync enabled polls the changelog database at regular intervals, parses relevant changes, and feeds these changes into Identity Manager. The LDAP adapter parses the idmpasswd attribute, decrypts the password using the shared secret, and makes the real password available to the rest of the system.

Password Capturing Process

The Password Capture plug-in is invoked by the Directory Server core each time the server is about to process an LDAP ADD or an LDAP MODIFY operation. The plug-in inspects the changes, and if there is a password change, it inserts the idmpasswd attribute/value pair, where the value is the encrypted password.

Passwords captured by the Password Capture plug-in are encrypted using a shared key. (The same shared key is used by the configured LDAP Resource Adapter to decrypt the password.)

If the change is accepted by the server, then the Retro Changelog plug-in logs the changes, including the new value for the idmpasswd attribute, into the Retro-Changelog database. The LDAP resource adapter processes the change to the idmpasswd attribute and makes the value available to other components inside Identity Manager in the form of an encrypted string.

The idmpasswd attribute does not appear in the Directory Server’s regular database when the user changes password.

Passwords in the Retro-Changelog Database

The encrypted password is recorded in the Retro-Changelog database. The Retro-Changelog plug-in can be configured to remove entries from the Retro-Changelog database periodically. The correct setting of the database trimming depends on the target environment. Too frequent trimming may not allow room for small network outages, or other service disruptions and the LDAP resource adapter may miss certain changes. On the other hand, allowing the database to grow too large may increase the security risk associated with having encrypted passwords in the database.

Note that the plug-in does not pick up hashed passwords.

Access to the contents of the Retro Changelog Database suffix (cn=changelog) should be limited. Therefore, allow read access to the LDAP resource adapter only.

Schema Changes

The idmpasswd attribute is defined as an operational attribute. Operational attributes do not require any changes to the objectclass definitions of the target entry. As a result, existing or new users in Directory Server do not need to be modified to use the password synchronization feature.

The idmpasswd attribute is defined in the schema as follows:

attributeTypes: ( idmpasswd-oid NAME ’idmpasswd’ DESC ’IdM Password’ 
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} USAGE directoryOperation X-ORIGIN ’
Identity Manager’ )

Plug-in Log Levels

The plug in supports the following log levels: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, and FINEST. SEVERE provides the least amount of detail, and FINEST provides the most detailed logging. The INFO log level is the default level.