Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.
The Encrypt Attribute Values Plugin is used to encrypt the values of a specified set of attributes. The encryption will be performed for LDAP add and modify operations, as well as for LDIF imports.
This plugin operates independently of the encrypt-data global configuration option, and it may be desirable to encrypt these attribute values regardless of the value of that option. The encrypt-data property is used to control whether database content is encrypted on disk so that it is protected from anyone with access to the database files (or backups of the database files), but when the data is accessed over LDAP (or exported to unencrypted LDIF), it will be in the clear.
This plugin encrypts the values of the selected attributes so that those values will never appear in the clear. The components of the server that deal with these attributes have been updated so that they can handle the values in either encrypted or unencrypted form. As these attributes are only intended for internal use within the server, it does not provide any mechanism for clients to access the clear-text representation of these encrypted values.
This plugin is only intended for use in Directory Server instances, and if it is enabled in one Directory Server instance, then it should be enabled for all Directory Server instances in the topology. However, if encryption is to be enabled for any attributes, and if the functionality associated with those encrypted attributes is expected to be used through the Directory Proxy Server, then the Directory Proxy Server instances must be configured with the same encryption settings definitions as the Directory Server instances.
When restoring a backup or importing an LDIF file that contains encrypted attribute values, you should first ensure that the server contains all of the encryption settings definitions that might be used to encrypt those values.
The Encrypt Attribute Values Plugin component inherits from the Plugin
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| description | plugin-type |
| enabled | invoke-for-internal-operations |
| attribute-type | |
| encryption-settings-definition-id |
| Description | A description for this Plugin |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether the plug-in is enabled for use. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The attribute types whose values should be encrypted. |
| Default Value | None |
| Allowed Values | ds-auth-totp-shared-secret - The ds-auth-totp-shared-secret operational attribute, which holds the shared secret the server needs to validate time-based one-time passwords provided to the UNBOUNDID-TOTP SASL mechanism or the validate TOTP password extended operation. ds-auth-totp-last-password-used - The ds-auth-totp-last-password-used operational attribute, which holds the last time-based one-time password used to authenticate with the UNBOUNDID-TOTP SASL mechanism. ds-auth-delivered-otp - The ds-auth-delivered-otp operational attribute, which is used to hold one-time passwords that can be used to authenticate with the UNBOUNDID-DELIVERED-OTP SASL mechanism. ds-auth-password-reset-token - The ds-auth-password-reset-token operational attribute, which is used to hold password reset tokens that can be provided to the password modify extended request as an alternative to the user's current password. ds-auth-single-use-token - The ds-auth-single-use-token operational attribute, which is used to hold single-use tokens that can be generated by the server and delivered to a user through some out-of-band mechanism using the deliver single-use token extended operation, and then consumed with the consume single-use token extended operation. |
| Multi-Valued | Yes |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
encryption-settings-definition-id
| Description | Specifies the ID of the encryption settings definition that should be used to encrypt the data. If this is not provided, the server's preferred encryption settings definition will be used. The "encryption-settings list" command can be used to obtain a list of the encryption settings definitions available in the server. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
plugin-type (Advanced Property)
| Description | Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked. |
| Default Value | ldifimport preparseadd preparsemodify |
| Allowed Values | startup - Invoked during the Directory Server startup process. shutdown - Invoked during a graceful Directory Server shutdown. postconnect - Invoked whenever a new connection is established to the server. postdisconnect - Invoked whenever an existing connection is terminated (by either the client or the server). ldifimport - Invoked for each entry read during an LDIF import. ldifexport - Invoked for each operation to be written during an LDIF export. preparseabandon - Invoked prior to parsing an abandon request. preparseadd - Invoked prior to parsing an add request. preparsebind - Invoked prior to parsing a bind request. preparsecompare - Invoked prior to parsing a compare request. preparsedelete - Invoked prior to parsing a delete request. preparseextended - Invoked prior to parsing an extended request. preparsemodify - Invoked prior to parsing a modify request. preparsemodifydn - Invoked prior to parsing a modify DN request. preparsesearch - Invoked prior to parsing a search request. preparseunbind - Invoked prior to parsing an unbind request. preoperationadd - Invoked prior to performing the core add processing. preoperationbind - Invoked prior to performing the core bind processing. preoperationcompare - Invoked prior to performing the core compare processing. preoperationdelete - Invoked prior to performing the core delete processing. preoperationextended - Invoked prior to performing the core extended processing. preoperationmodify - Invoked prior to performing the core modify processing. preoperationmodifydn - Invoked prior to performing the core modify DN processing. preoperationsearch - Invoked prior to performing the core search processing. postoperationabandon - Invoked after completing the abandon processing. postoperationadd - Invoked after completing the core add processing but before sending the response to the client. postoperationbind - Invoked after completing the core bind processing but before sending the response to the client. postoperationcompare - Invoked after completing the core compare processing but before sending the response to the client. postoperationdelete - Invoked after completing the core delete processing but before sending the response to the client. postoperationextended - Invoked after completing the core extended processing but before sending the response to the client. postoperationmodify - Invoked after completing the core modify processing but before sending the response to the client. postoperationmodifydn - Invoked after completing the core modify DN processing but before sending the response to the client. postoperationsearch - Invoked after completing the core search processing but before sending the response to the client. postoperationunbind - Invoked after completing the unbind processing. preresponseadd - Invoked just before sending the add response to the client. preresponsebind - Invoked just before sending the bind response to the client. preresponsecompare - Invoked just before sending the compare response to the client. preresponsedelete - Invoked just before sending the delete response to the client. preresponseextended - Invoked just before sending the extended response to the client. preresponsemodify - Invoked just before sending the modify response to the client. preresponsemodifydn - Invoked just before sending the modify DN response to the client. preresponsesearch - Invoked just before sending the search result done response to the client. postresponseadd - Invoked after sending the add response to the client. postresponsebind - Invoked after sending the bind response to the client. postresponsecompare - Invoked after sending the compare response to the client. postresponsedelete - Invoked after sending the delete response to the client. postresponseextended - Invoked after sending the extended response to the client. postresponsemodify - Invoked after sending the modify response to the client. postresponsemodifydn - Invoked after sending the modify DN response to the client. postresponsesearch - Invoked after sending the search result done message to the client. postsynchronizationadd - Invoked after completing post-synchronization processing for an add operation. postsynchronizationdelete - Invoked after completing post-synchronization processing for a delete operation. postsynchronizationmodify - Invoked after completing post-synchronization processing for a modify operation. postsynchronizationmodifydn - Invoked after completing post-synchronization processing for a modify DN operation. searchresultentry - Invoked before sending a search result entry to the client. searchresultreference - Invoked before sending a search result reference to the client. subordinatemodifydn - Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation. intermediateresponse - Invoked before sending an intermediate response message to the client. |
| Multi-Valued | Yes |
| Required | Yes |
| Admin Action Required | The Encrypt Attribute Values Plugin must be disabled and re-enabled for changes to this setting to take effect. In order for this modification to take effect, the component must be restarted, either by disabling and re-enabling it, or by restarting the server |
invoke-for-internal-operations (Advanced Property)
| Description | Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operations that can cause the same plug-in to be re-invoked. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured Plugins:
dsconfig list-plugins
[--property {propertyName}] ...
To view the configuration for an existing Plugin:
dsconfig get-plugin-prop
--plugin-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Plugin:
dsconfig set-plugin-prop
--plugin-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...