Monday, September 11, 2006
more secure Internet Passwords issue
lookupProfile := @GetProfileField("DirectoryProfile"; "SecureInetPasswords");
@If(lookupProfile = "1"; ""; @Return(""));
FIELD $SecurePassword := "0";
So, even though the lookup is made for "DirectoryProfile", they still set the field $SecurePassword to the value 0
When did they changed this is not clear to me, fact is that from 6.5.4 new Directories will have this behaviour, unless they changed it in newer versions.
So, why is this such a big deal ? Because I customized a Domino Directory to use it for web users only. And I also added a change password form so my users can reset their passwords. I am aware of the ?changepassword command, however this uses the Adminp process to reset the http password, I wanted to avoid that.
And my form uses the encrypted password to verify against the one stored within the Person document. With the new algorithm though, the result of the encrypted password is different on each save, no matter if the password is the same. And my code can no longer verify the existing password against the one stored. And I'm screwed :)
Thus, I need to revert to the traditional (and yes, less secure) way of Domino Directory encrypting HTTP passwords. How do I do that ?
After 1 hour of testing and cursing, appears that I need to delete the field $SecurePassword from all person documents, beside the fact the Directory Profile has to list a big 'No' in the field 'Use more secure Internet Passwords'.
Disclaimer: The information in this weblog is provided "AS IS" with no warranties whatsoever, and confers no rights to any institution/person/organization. These are my personal thoughts and ideas. When I am inspired by others I give credit, I do not assume other's work and efforts. This site is NOT supported, approved, blessed etc. by Lotus Software and/or IBM Corporation.
This work is licensed under a Creative Commons Attribution 3.0 License.