Monday, September 11, 2006

more secure Internet Passwords issue

got an issue today with setting the field 'Use more secure Internet Passwords' field into a 6.5.4 Domino Directory. Seems that the Lotus Team changed somehow the design of the Domino Directory so that no matter what, the new algorithm for encrypting the Domino Web Passwords is active, no matter what. To demonstrate that, just open your names.nsf database, the Person form and check the WebQuerySave event. Mine lists the following formula:

lookupProfile := @GetProfileField("DirectoryProfile"; "SecureInetPasswords");
@If(lookupProfile = "1"; ""; @Return(""));
FIELD $SecurePassword := "0";
""

So, even though the lookup is made for "DirectoryProfile", they still set the field $SecurePassword to the value 0
When did they changed this is not clear to me, fact is that from 6.5.4 new Directories will have this behaviour, unless they changed it in newer versions.

So, why is this such a big deal ? Because I customized a Domino Directory to use it for web users only. And I also added a change password form so my users can reset their passwords. I am aware of the ?changepassword command, however this uses the Adminp process to reset the http password, I wanted to avoid that.

And my form uses the encrypted password to verify against the one stored within the Person document. With the new algorithm though, the result of the encrypted password is different on each save, no matter if the password is the same. And my code can no longer verify the existing password against the one stored. And I'm screwed :)

Thus, I need to revert to the traditional (and yes, less secure) way of Domino Directory encrypting HTTP passwords. How do I do that ?

After 1 hour of testing and cursing, appears that I need to delete the field $SecurePassword from all person documents, beside the fact the Directory Profile has to list a big 'No' in the field 'Use more secure Internet Passwords'.

No comments: