Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.
The Changelog Password Encryption Plugin adds an encrypted form of the user password attribute to ADD and MODIFY operations that include the user password. The main purpose of this is to allow changelog entries to store this encrypted form of the password so that it may be synchronized to other types of endpoints (such as Active Directory or Oracle) using the Ping Identity Data Sync Server.
The encryption is performed with key derived from the changelog-password-encryption-key property on this plugin. If the changelog is not enabled or the encryption key is not specified, this plugin has no effect. The encrypted value will get replicated (in a replicated environment), but this plugin must be enabled on any replica that can process password modifications.
The Changelog Password Encryption Plugin component inherits from the Plugin
The following components have a direct aggregation relation from Changelog Password Encryption Plugins:
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| description | plugin-type |
| enabled | invoke-for-internal-operations |
| changelog-password-encryption-key | |
| changelog-password-encryption-key-passphrase-provider |
| Description | A description for this Plugin |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether the plug-in is enabled for use. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
changelog-password-encryption-key
| Description | A passphrase that may be used to generate the key for encrypting passwords stored in the changelog. The same passphrase also needs to be set (either through the "changelog-password-decryption-key" property or the "changelog-password-decryption-key-passphrase-provider" property) in the Global Sync Configuration in the Data Sync Server. The encryption key is actually cryptographically derived from this value, so there are no minimum complexity requirements here. This value does need to be set on the Data Sync Server, so that it can decrypt and synchronize user passwords to other destinations. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
changelog-password-encryption-key-passphrase-provider
| Description | A passphrase provider that may be used to obtain the passphrase that will be used to generate the key for encrypting passwords stored in the changelog. The same passphrase also needs to be set (either through the "changelog-password-decryption-key" property or the "changelog-password-decryption-key-passphrase-provider" property) in the Global Sync Configuration in the Data Sync Server. The encryption key is actually cryptographically derived from this value, so there are no minimum complexity requirements here. This value does need to be set on the Data Sync Server, so that it can decrypt and synchronize user passwords to other destinations. |
| Default Value | None |
| Allowed Values | The DN of any Passphrase Provider. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
plugin-type (Advanced Property)
| Description | Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked. |
| Default Value | preparseadd preparsemodify |
| Allowed Values | startup - Invoked during the Directory Server startup process. shutdown - Invoked during a graceful Directory Server shutdown. postconnect - Invoked whenever a new connection is established to the server. postdisconnect - Invoked whenever an existing connection is terminated (by either the client or the server). ldifimport - Invoked for each entry read during an LDIF import. ldifexport - Invoked for each operation to be written during an LDIF export. preparseabandon - Invoked prior to parsing an abandon request. preparseadd - Invoked prior to parsing an add request. preparsebind - Invoked prior to parsing a bind request. preparsecompare - Invoked prior to parsing a compare request. preparsedelete - Invoked prior to parsing a delete request. preparseextended - Invoked prior to parsing an extended request. preparsemodify - Invoked prior to parsing a modify request. preparsemodifydn - Invoked prior to parsing a modify DN request. preparsesearch - Invoked prior to parsing a search request. preparseunbind - Invoked prior to parsing an unbind request. preoperationadd - Invoked prior to performing the core add processing. preoperationbind - Invoked prior to performing the core bind processing. preoperationcompare - Invoked prior to performing the core compare processing. preoperationdelete - Invoked prior to performing the core delete processing. preoperationextended - Invoked prior to performing the core extended processing. preoperationmodify - Invoked prior to performing the core modify processing. preoperationmodifydn - Invoked prior to performing the core modify DN processing. preoperationsearch - Invoked prior to performing the core search processing. postoperationabandon - Invoked after completing the abandon processing. postoperationadd - Invoked after completing the core add processing but before sending the response to the client. postoperationbind - Invoked after completing the core bind processing but before sending the response to the client. postoperationcompare - Invoked after completing the core compare processing but before sending the response to the client. postoperationdelete - Invoked after completing the core delete processing but before sending the response to the client. postoperationextended - Invoked after completing the core extended processing but before sending the response to the client. postoperationmodify - Invoked after completing the core modify processing but before sending the response to the client. postoperationmodifydn - Invoked after completing the core modify DN processing but before sending the response to the client. postoperationsearch - Invoked after completing the core search processing but before sending the response to the client. postoperationunbind - Invoked after completing the unbind processing. preresponseadd - Invoked just before sending the add response to the client. preresponsebind - Invoked just before sending the bind response to the client. preresponsecompare - Invoked just before sending the compare response to the client. preresponsedelete - Invoked just before sending the delete response to the client. preresponseextended - Invoked just before sending the extended response to the client. preresponsemodify - Invoked just before sending the modify response to the client. preresponsemodifydn - Invoked just before sending the modify DN response to the client. preresponsesearch - Invoked just before sending the search result done response to the client. postresponseadd - Invoked after sending the add response to the client. postresponsebind - Invoked after sending the bind response to the client. postresponsecompare - Invoked after sending the compare response to the client. postresponsedelete - Invoked after sending the delete response to the client. postresponseextended - Invoked after sending the extended response to the client. postresponsemodify - Invoked after sending the modify response to the client. postresponsemodifydn - Invoked after sending the modify DN response to the client. postresponsesearch - Invoked after sending the search result done message to the client. postsynchronizationadd - Invoked after completing post-synchronization processing for an add operation. postsynchronizationdelete - Invoked after completing post-synchronization processing for a delete operation. postsynchronizationmodify - Invoked after completing post-synchronization processing for a modify operation. postsynchronizationmodifydn - Invoked after completing post-synchronization processing for a modify DN operation. searchresultentry - Invoked before sending a search result entry to the client. searchresultreference - Invoked before sending a search result reference to the client. subordinatemodifydn - Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation. intermediateresponse - Invoked before sending an intermediate response message to the client. |
| Multi-Valued | Yes |
| Required | Yes |
| Admin Action Required | The Changelog Password Encryption Plugin must be disabled and re-enabled for changes to this setting to take effect. In order for this modification to take effect, the component must be restarted, either by disabling and re-enabling it, or by restarting the server |
invoke-for-internal-operations (Advanced Property)
| Description | Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operations that can cause the same plug-in to be re-invoked. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured Plugins:
dsconfig list-plugins
[--property {propertyName}] ...
To view the configuration for an existing Plugin:
dsconfig get-plugin-prop
--plugin-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Plugin:
dsconfig set-plugin-prop
--plugin-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...