The way in which passwords are encrypted and checked depends on the type of data view through which the client accesses the data source. For information about data views, see Chapter 17, Directory Proxy Server Distribution and Chapter 18, Directory Proxy Server Virtualization.
For LDAP data views, Directory Proxy Server relies on the backend LDAP server for password encryption and verification. When a client modifies a password by using an ADD or MODIFY operation, the backend LDAP server can apply a password encryption policy when it stores the password. When the client issues a BIND request, the backend LDAP server is responsible for verifying the password.
For LDIF and JDBC data views, Directory Proxy Server is responsible for password encryption and verification.
LDIF data views. When a client modifies a password, Directory Proxy Server applies the encryption policy defined by the db-pwd-encryption property of the data view. The encryption policy can be PLAIN, SHA, or SSHA. The password is still stored in the data source, that is, in the LDIF file.
JDBC data views. When a client modifies a password, Directory Proxy Server applies the 3DES encryption mechanism to encrypt the JDBC data source password.
When encrypted passwords are stored, the encrypted value is prefixed by the encryption policy. So for example, a stored, encrypted password might look like {SSHA}mcasopjebjakiue or {SHA}askjdlaijfbnja. When the client issues a BIND request, Directory Proxy Server verifies the password and expects the encryption policy tag.