+

Search Tips   |   Advanced Search

Configuration of LDAP Password Store

You must set the properties of LDAP Password Store in the pwsync.props configuration file. By default, there is one configuration file for each of the plug-ins. For example, TDI_install_dir/pwd_plugins/tds/pwsync.props for the Security Directory Server Password plug-in. The LDAP Password Store is therefore configured in the pwsync.props file of the plug-in. Note: In the configuration file, you must manually encrypt each password property. We can use the encryptPasswd utility for encryption. This utility uses a symmetric algorithm for encryption of the passwords. Make sure that the pwsync.props file is readable only by the trusted system users.

The encryptPasswd utility requires that the password is passed as a parameter. The encrypted password is printed on the standard output. For a complete list of the configuration parameters and their explanation, see Common configuration and utilities of password synchronization plug-ins.

The class for the LDAP Password Store is: com.ibm.di.plugin.pwstore.ldap.LDAPPasswordStore. The following example shows a completed properties file for an SSL connection and password encryption:

#IBM Directory Integrator LDAP Password Store Settings with Encoded Passwords
#Tue Jul 30 08:21:20 EDT 2002
ldap.hostname=gbdthst1
ldap.port=636
ldap.waitForStore=true
ldap.admindn=cn=root
ldap.password=0c0bf0e3146b
ldap.ssl=true
ldap.suffix=dc=carnd11,o=ibm,c=us
encrypt=true
encryptKeyStoreFilePath=c:\sync\cryptokeys.jks
encryptKeyStoreFilePassword=0c0bf0e3146b
encryptKeyStoreCertificate=cryptoCertName
encryptKeyPassword=0c0bf0e3146b

Notes:

  1. To disable SSL, select a non-SSL port, for example, 389, and set ssl=false.
  2. To disable asymmetric password encryption, set encrypt=false. When encrypt=false, any value in encryptKeyStoreFilePath, encryptKeyStoreFilePassword, encryptKeyStoreCertificate, and encryptKeyPassword is ignored.
  3. The suffix keyword is used to identify the container where the objects that contain the user ID and new password value are found.
  4. There are some additional optional keywords that we can use to override the default object class and attribute definitions. We can add the following properties name in the pwsync.props files and their associated default values:

      ldap.schemaPersonObjectName
      ibm-diPerson
      ldap.schemaUseridAttributeName
      ibm-diUserId
      ldap.schemaPasswordAttributeName
      ibm-diPassword
  5. Another optional attribute, ldap.delayMillis, is used when the ldap.waitForStore property is set to false. When ldap.waitForStore=false, the ldap.delayMillis specifies the number of milliseconds of delay before the storage. A deadlock can occur when the:

    • SDI Password Synchronizer for the Windows system is configured to use the LDAP Password Store.
    • LDAP Password Store is configured to store into the Active Directory on the same system where the Password Synchronizer is installed.

    To avoid the deadlock, use this asynchronous mode of operation. In an asynchronous mode ldap.waitForStore=false, the password catcher code that communicates with the Windows system returns control to the Windows. After a short delay, the password store code that is running a separate thread attempts to store the password update into the Active Directory. If ldap.waitForStore=false and no value is specified for ldap.delayMillis, then a default of ldap.delayMillis=2000 is used. In this configuration, any Password Store failures are reported by using the log file, which is specified in the logFilePath property.


Password encryption

Encryption of password values is supported by both the LDAP Password Store and the JMS Password Store.

By default, the encryption is disabled. To turn it on, set the encrypt property to true. When encryption is used, the encryptKeyStoreFilePath, encryptKeyStoreFilePassword, and encryptKeyStoreCertifcate property values must also be set. The encryptKeyPassword property must be set if you are using the LDAP Password Store. The encryptKeyPassword property is irrelevant for the rest of the Password Stores. The password encryption and decryption functions use the RSA algorithm. The following example shows configuration properties for the encryption function: 

encryptKeyStoreFilePath=path to the key store file
encryptKeyStoreFilePassword=password of the key store file; encoded with 
the "encryptPasswd" tool
encryptKeyStoreCertifcate=the alias of the public key certificate in 
the key store
encryptKeyPassword=password of the private key; encoded with 
the "encryptPasswd" tool

We can create and manage keystore files and the public or private keys with the keytool and iKeyman JRE utilities. For more information about keystores and keytool, see:

The java.security file in the install_directory/jvm/jre/lib/security directory is set up to contain a reference to the security provider com.ibm.crypto.provider.IBMJCE. The following example shows the relevant portion of the file: 

:
:
:

# List of providers and their preference orders :
#
security.provider.1=sun.security.provider.Sun
security.provider.2=com.ibm.crypto.provider.IBMJCE

:
:
:

An example AssemblyLine, which demonstrates the decryption of captured passwords, is included in the SDI installation. The AssemblyLine and a readme file are stored in the TDI_install_dir/examples/pwsync_decryption/ directory where TDI_install_dir is the installation directory of the SDI.

Notes:

  1. RSA is an asymmetric encryption algorithm, which uses a public key to encrypt and its associated private key to decrypt. Because you need the public key for encryption, distribute only the public key in the keystore file of the Password Store. This information is not relevant to the LDAP Password Store because it decrypts the already stored password values to determine which password to delete. Therefore, the private key is also required.
  2. The keystore files contain sensitive data and must be properly protected by using file system permissions.


Parent topic:

LDAP Password Store