UCM does not encrypt the password

chazhang · ‎03-22-2018

I am using updateLdapDirectory to update the ldap password. UCM response with successful update, however, the password is stored in DB with plain text, instead of encrypted:

----------AXL debug, shows everything is good -----------------

2018-03-22 15:28:49,193 DEBUG [http-bio-8443-exec-3] servletRouters.AXLAlpha - AXL REQUEST :

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">

<SOAP-ENV:Body>

<axl:updateLdapDirectory xmlns:axl="http://www.cisco.com/AXL/API/10.5" sequence="1">

<name>Admin - SuperUser Sync</name>

<ldapPassword>6L7THAeqeu8N!MES</ldapPassword>

</axl:updateLdapDirectory>

</SOAP-ENV:Body>

</SOAP-ENV:Envelope>

...

2018-03-22 15:28:49,204 DEBUG [http-bio-8443-exec-3] axlapiservice.Handler - update directorypluginconfig set LdapPassword='6L7THAeqeu8N!MES' where pkid='14240ed0-322c-da4a-4653-fddd3db5ff30'

2018-03-22 15:28:49,214 DEBUG [http-bio-8443-exec-3] axlapiservice.UpdateLdapDirectoryHandler - UpdateLdapDirectory completed

2018-03-22 15:28:49,218 DEBUG [http-bio-8443-exec-3] axlapiservice.AXLCallFlow - In commit transaction and created pub connector

2018-03-22 15:28:49,218 DEBUG [http-bio-8443-exec-3] axlapiservice.Axl - Connection closed and hashmap entry removed in AXL.java closing connection

2018-03-22 15:28:49,218 DEBUG [http-bio-8443-exec-3] axlapiservice.AXLCallFlow - Commit transaction connector object closed

2018-03-22 15:28:49,221 DEBUG [http-bio-8443-exec-3] servletRouters.AXLAlpha - <?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Body><ns:updateLdapDirectoryResponse xmlns:ns="http://www.cisco.com/AXL/API/10.5"><return>{14240ED0-322C-DA4A-4653-FDDD3DB5FF30}</return></ns:updateLdapDirectoryResponse></soapenv:Body></soapenv:Envelope>

-------check DB, password is in clear text ----------

admin:run sql select * from directorypluginconfig

pkid agreementstatus ldapdn ldappassword ldapsynchronizationbase incsyncstatus highestcommittedusn syncnow invocationid fullsyncstatus connectedldaphost name fkldapfilter tkldapdirectoryfunction fkfeaturegrouptemplate mask applymask applypoollist syncgroups fkldapfilter_group userrank

==================================== =============== =========================================================== ================ ======================================== ============= =================== ======= ================================ ============== ================= ========================== ==================================== ======================= ==================================== ==== ========= ============= ========== ================== ========

14240ed0-322c-da4a-4653-fddd3db5ff30 1 CN=ucm.admin.gen,OU=Generics,OU=LAB Users,DC=LAB,DC=com 6L7THAeqeu8N!MES OU=Admins,OU=LAB Users,DC=LAB,DC=com 0 54553862 0 2f2dd55f7b5f4747b3c636debc0a9cf3 0 64.100.37.70 Admin - SuperUser Sync a5fce3a2-8ee4-dd10-f98c-26fe6a905638 0 30600e3e-4efd-6f93-d322-dc08fdbffa9f NULL f f f NULL 1

Is it something expected?

dstaudt · ‎03-22-2018

I have been able to reproduce this problem (on CUCM 11.5), and have opened a defect for tracking: CSCvi61573

Thanks for reporting! If you would like to inquiry about a possible 'engineering special' to validate a fix, please open a ticket with DevNet Developer Support: https://developer.cisco.com/site/devnet/support/

chazhang · ‎03-22-2018

Thanks David for the prompt reply and action.