UnboundID Identity Data Store - Changelog Password Encryption Plugin

Identity Data Store Documentation Index
Configuration Reference Home

Changelog Password Encryption Plugin

Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact UnboundID support in order to understand the potential impact of that change.

The Changelog Password Encryption Plugin adds an encrypted form of the user password attribute to ADD and MODIFY operations that include the user password. The main purpose of this is to allow changelog entries to store this encrypted form of the password so that it may be synchronized to other types of endpoints (such as Active Directory or Oracle) using the UnboundID Identity Data Sync Server.

The encryption is performed with key derived from the changelog-password-encryption-key property on this plugin. If the changelog is not enabled or the encryption key is not specified, this plugin has no effect. The encrypted value will get replicated (in a replicated environment), but this plugin must be enabled on any replica that can process password modifications.

↓Parent Component
↓Properties
↓dsconfig Usage

Parent Component

The Changelog Password Encryption Plugin component inherits from the Plugin

Properties

The properties supported by this managed object are as follows:

Basic Properties:	Advanced Properties:
↓ description	↓ plugin-type
↓ enabled	↓ invoke-for-internal-operations
↓ changelog-password-encryption-key

Basic Properties

description

Description	A description for this Plugin
Default Value	None
Allowed Values	A string
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

enabled

Description	Indicates whether the plug-in is enabled for use.
Default Value	None
Allowed Values	true false
Multi-Valued	No
Required	Yes
Admin Action Required	None. Modification requires no further action

changelog-password-encryption-key

Description	This specifies the "encryption key" that will be used as part of the password encryption process. This value should also be set as the "changelog-password-decryption-key" in the Global Sync Configuration in the Identity Data Sync Server. The encryption key is actually cryptographically derived from this value, so there are no minimum complexity requirements here. This value does need to be set on the Identity Data Sync Server, so that it can decrypt and synchronize user passwords to other destinations.
Default Value	None
Allowed Values	A string
Multi-Valued	No
Required	Yes
Admin Action Required	None. Modification requires no further action

Advanced Properties

plugin-type (Advanced Property)

Description	Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
Default Value	preparseadd preparsemodify
Allowed Values	startup - Invoked during the Identity Data Store startup process. shutdown - Invoked during a graceful Identity Data Store shutdown. postconnect - Invoked whenever a new connection is established to the server. postdisconnect - Invoked whenever an existing connection is terminated (by either the client or the server). ldifimport - Invoked for each entry read during an LDIF import. ldifexport - Invoked for each operation to be written during an LDIF export. preparseabandon - Invoked prior to parsing an abandon request. preparseadd - Invoked prior to parsing an add request. preparsebind - Invoked prior to parsing a bind request. preparsecompare - Invoked prior to parsing a compare request. preparsedelete - Invoked prior to parsing a delete request. preparseextended - Invoked prior to parsing an extended request. preparsemodify - Invoked prior to parsing a modify request. preparsemodifydn - Invoked prior to parsing a modify DN request. preparsesearch - Invoked prior to parsing a search request. preparseunbind - Invoked prior to parsing an unbind request. preoperationadd - Invoked prior to performing the core add processing. preoperationbind - Invoked prior to performing the core bind processing. preoperationcompare - Invoked prior to performing the core compare processing. preoperationdelete - Invoked prior to performing the core delete processing. preoperationextended - Invoked prior to performing the core extended processing. preoperationmodify - Invoked prior to performing the core modify processing. preoperationmodifydn - Invoked prior to performing the core modify DN processing. preoperationsearch - Invoked prior to performing the core search processing. postoperationabandon - Invoked after completing the abandon processing. postoperationadd - Invoked after completing the core add processing but before sending the response to the client. postoperationbind - Invoked after completing the core bind processing but before sending the response to the client. postoperationcompare - Invoked after completing the core compare processing but before sending the response to the client. postoperationdelete - Invoked after completing the core delete processing but before sending the response to the client. postoperationextended - Invoked after completing the core extended processing but before sending the response to the client. postoperationmodify - Invoked after completing the core modify processing but before sending the response to the client. postoperationmodifydn - Invoked after completing the core modify DN processing but before sending the response to the client. postoperationsearch - Invoked after completing the core search processing but before sending the response to the client. postoperationunbind - Invoked after completing the unbind processing. preresponseadd - Invoked just before sending the add response to the client. preresponsebind - Invoked just before sending the bind response to the client. preresponsecompare - Invoked just before sending the compare response to the client. preresponsedelete - Invoked just before sending the delete response to the client. preresponseextended - Invoked just before sending the extended response to the client. preresponsemodify - Invoked just before sending the modify response to the client. preresponsemodifydn - Invoked just before sending the modify DN response to the client. preresponsesearch - Invoked just before sending the search result done response to the client. postresponseadd - Invoked after sending the add response to the client. postresponsebind - Invoked after sending the bind response to the client. postresponsecompare - Invoked after sending the compare response to the client. postresponsedelete - Invoked after sending the delete response to the client. postresponseextended - Invoked after sending the extended response to the client. postresponsemodify - Invoked after sending the modify response to the client. postresponsemodifydn - Invoked after sending the modify DN response to the client. postresponsesearch - Invoked after sending the search result done message to the client. postsynchronizationadd - Invoked after completing post-synchronization processing for an add operation. postsynchronizationdelete - Invoked after completing post-synchronization processing for a delete operation. postsynchronizationmodify - Invoked after completing post-synchronization processing for a modify operation. postsynchronizationmodifydn - Invoked after completing post-synchronization processing for a modify DN operation. searchresultentry - Invoked before sending a search result entry to the client. searchresultreference - Invoked before sending a search result reference to the client. subordinatemodifydn - Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation. intermediateresponse - Invoked before sending an intermediate response message to the client.
Multi-Valued	Yes
Required	Yes
Admin Action Required	The Changelog Password Encryption Plugin must be disabled and re-enabled for changes to this setting to take effect. This modification requires that you disable and then re-enable this component for the change to take effect

invoke-for-internal-operations (Advanced Property)

Description	Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operations that can cause the same plug-in to be re-invoked.
Default Value	true
Allowed Values	true false
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

dsconfig Usage

To list the configured Plugins:

dsconfig list-plugins
     [--property {propertyName}] ...

To view the configuration for an existing Plugin:

dsconfig get-plugin-prop
     --plugin-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Plugin:

dsconfig set-plugin-prop
     --plugin-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Changelog Password Encryption Plugin:

dsconfig create-plugin
     --plugin-name {name}
     --type changelog-password-encryption
     --set enabled:{propertyValue}
     --set changelog-password-encryption-key:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Plugin:

dsconfig delete-plugin
     --plugin-name {name}