Description:
In previous builds of the Directory, the two passwords "dsa-password" and "ldap-dsa-password" were stored in clear-text, but an enhancement in r12.0 SP3 means that these passwords can now be hashed. Read this knowledge document for the process involved.
Solution:
The process of hashing the "dsa-password" and "ldap-dsa-password" values in a DSA's knowledge file involves two steps:
Converting plain text using the "dxpassword" utility
Any DSAs knowledge file created using the "DXnewdsa" command will have a dsa-password of "secret". e.g.:
set dsa "democorp" = { prefix = <c AU><o democorp> dsa-name = <c AU><o democorp><cn "democorp"> dsa-password = "secret" set dsa "router" = { prefix = <c AU> dsa-name = <c AU><cn "router"> dsa-password = "secret"
To change the router's dsa-password to a value of "secret", execute the dxpassword command specifying the "CADIR" algorithm and provide the plaintext value of "secret" as parameters. The cipher text will be displayed on the screen e.g:
>dxpassword -P CADIR secret {CADIR}2ix/cSku
If you want to encrypt the plain text value of "password", the command would be as follows:
>dxpassword -P CADIR password {CADIR}2RqNRjmDUKw=
Updating the DSAs knowledge file with the cipher-text value
Once the cipher-text values have been generated, simply replace the dsa-password plain text value with the cipher-text value. Please ensure that the cipher-text value is enclosed using double quotes (").
If you have implemented a highly available directory backbone, then please ensure that any "remote" knowledge files are also updated (where applicable). For example, updating the router and democorp DSA knowledge files with the two cipher-text values generated above, would look like the following:
Router knowledge file
set dsa "router" = { prefix = <c AU> dsa-name = <c AU><cn "router"> dsa-password = "{CADIR}2ix/cSku"
Democorp knowledge file
set dsa "democorp" = { prefix = <c AU><o Democorp> dsa-name = <c AU><o Democorp><cn "democorp"> dsa-password = "{CADIR}2RqNRjmDUKw="
Remember to save the knowledge files after editing and ensure that the DSAs are stopped and started to refresh their runtime configuration.
Please Note: This same process can be performed to obfuscate the "ldap-dsa-password" when using DXlink to connect to third party LDAP servers.