Hi there,

does anyone know if this is an intended behavior or a bug?

I'm using the LDAP Driver 4.0.0.1 together with packages (LDAP Password
Synchronisation 1.0.0, etc.). When a new account is created into LDAP,
the corresponding event looks like this:

Code:
--------------------
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.2.4">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add cached-time="20140513131813.910Z" class-name="inetOrgPerson" dest-dn="UID=username,ou=Users,ou=TestTree,ou=Applicati on,dc=acme,dc=de" event-id="IDMTEST01-NDS#20140513131813#1#3:c64ab857-1de5-4379-a6ef-9a3a759cbec0" qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121" timestamp="1399987093#4">
<add-attr attr-name="uid">
<value naming="true" timestamp="1279182782#53" type="string">username</value>
</add-attr>
<add-attr attr-name="cn">
<value timestamp="1378119680#2" type="string">John Smith</value>
</add-attr>
<add-attr attr-name="sn">
<value timestamp="1279182782#15" type="string">Smith</value>
</add-attr>
<password><!-- content suppressed --></password>
<operation-data attempt-to-match="true" unmatched-src-dn="cn=username,OU=Staff">
<entitlement-impl id="" name="Account" qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src="UA" src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121" state="1">{"ID":"LDAP Server"}</entitlement-impl>
<password-subscribe-status>
<association/>
</password-subscribe-status>
</operation-data>
</add>
</input>
</nds>
--------------------


And if gives me the following output:

Code:
--------------------
[05/13/14 15:18:14.323]:LDAP ST:LDAP: LDAPSub.performAddOperation() Calling getAllSups(inetOrgPerson)
[05/13/14 15:18:14.323]:LDAP ST:LDAP: LDAP Add:
dn: UID=username,ou=Users,ou=TestTree,ou=Application,d c=acme,dc=de
userpassword: <content suppressed>
uid: username
sn: Smith
cn: John Smith
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
--------------------


As you can see, the password is handled as a normal attribute, so it is
stored as cleartext in the LDAP Server.



Now when I trigger a modify event it looks like this:

Code:
--------------------
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.2.4">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="inetOrgPerson" event-id="IDMTEST01-NDS#20140513132207#1#1:59c2ee12-58f5-48da-b4c0-c2213ce1f57e" from-merge="true" qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121">
<association>uid=username,ou=users,ou=testtree,ou= application,dc=acme,dc=de</association>
<modify-attr attr-name="uid">
<remove-all-values/>
<add-value>
<value naming="true" timestamp="1279182782#53" type="string">username</value>
</add-value>
</modify-attr>
<modify-attr attr-name="cn">
<remove-all-values/>
<add-value>
<value timestamp="1378119680#2" type="string">John Smith</value>
</add-value>
</modify-attr>
<modify-attr attr-name="sn">
<remove-all-values/>
<add-value>
<value timestamp="1279182782#15" type="string">Smith</value>
</add-value>
</modify-attr>
<operation-data>
<entitlement-impl id="" name="Account" qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src="UA" src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121" state="1">{"ID":"LDAP Server"}</entitlement-impl>
</operation-data>
</modify>
<modify-password class-name="inetOrgPerson" event-id="pwd-subscribe" qualified-src-dn="O=acme\OU=Account\OU=Staff\CN=username" src-dn="\TREE\acme\Account\Staff\username" src-entry-id="115121">
<association>uid=username,ou=users,ou=testtree,ou= application,dc=acme,dc=de</association>
<password><!-- content suppressed --></password>
<operation-data>
<password-subscribe-status>
<association>uid=username,ou=users,ou=testtree,ou= application,dc=acme,dc=de</association>
</password-subscribe-status>
</operation-data>
</modify-password>
</input>
</nds>
--------------------


And the output is different too:

Code:
--------------------
[05/13/14 15:22:07.383]:LDAP ST:LDAP: LDAP Modify: uid=username,ou=users,ou=testtree,ou=application,d c=acme,dc=de
LDAPModification: (operation=replace,(LDAPAttribute: {type='uid', value='username'}))
LDAPModification: (operation=replace,(LDAPAttribute: {type='cn', value='John Smith'}))
LDAPModification: (operation=replace,(LDAPAttribute: {type='sn', value='Smith'}))
[05/13/14 15:22:07.388]:LDAP ST:LDAP: LDAPInterface.doPasswordModify() The driver detected that the LDAP server supports the password modify extended operation (1.3.6.1.4.1.4203.1.11.1), so we'll attempt to set the password that way.
[05/13/14 15:22:07.398]:LDAP ST:LDAP: LDAPInterface.doPasswordModify() Password change succeeded.
--------------------


This time, it detected a "password modify extended operation" and the
password is encrypted as SSHA in the LDAP Server.


So why is the password not encrypted right in the add event? Is there
something wrong with the policy (NOVLPWDSYNC-sub-ctp-TransformDistPwd),
or is this some kind of feature I don't understand?
Did anyone built a workaround for this already?


--
d_redner
------------------------------------------------------------------------
d_redner's Profile: https://forums.netiq.com/member.php?userid=790
View this thread: https://forums.netiq.com/showthread.php?t=50837