Attached is a patch that will change the LDAP admin password to be encrypted. This should resolve OF-169. It also fixes editing system settings so that ldap admin password isn’t shown and fixes the server profile pages so that the base dn and admin dn are escaped using StringEscapeUtils.escapeHtml. I didn’t see existing issues for these problems. The base DN and admin DN weren’t showing up correctly when encloseDN was set. EncloseDN was adding quotes around the DN values messing up the html.
To allow upgrades, the unecrypted value is moved to a new property called ldap.adminEncryptedPassword. If for some reason the adminEncryptedPassword value stops working it can be reset by adding ldap.adminPassword to openfire.xml and the password is automatically encrypted and moved to the database.
I noticed after I was done that the DefaultUserProvider is also doing encryption, so I’m sure there is so refracting that could still be done, but I wanted to get this patch out there, since I know unencrypted passwords are a concern for many people.
I’m looking to get more involved in the development, so please let me know if there is a particular section I should look at.
Thanks,
Brian