Storing Password Reset Questions in LDAP

Question

I want to store answers to password reset questions in LDAP. I know that the answers should be hashed with a salt. I would like insight into the following:

• What attributeClass should we use?
• Is it possible to get the LDAP server to perform the hashing operations?
• Is there a way to use the LDAP compare operation if the container doesn't expose how it performs hashing?
• Does the answer vary depending on which directory service vendor you go with?
• Is it possible to extend the password attributeClass for this purpose?

Answer 1

Just an Idea that might be totally off, why not have a duplicate account of each user where the password is the answer to the secret question?
This way you won't have to think about hashing/salt/encryption and to validate the answer you will call the logon user API.
Those duplicate users of course will belong to a very limited security groups.

Answer 2

I have looked for such functionality in Sun Directory Server but was not able to find it. I ended up implementing it in my client code (by using java.security.MessageDigest if I remember correctly). It wasn't much work, but I would have prefered it to be handled by the server.

Perhaps it is possible on other LDAP servers, I'd be curious to find out.