I think a change needs to be made to the Openfire admin console, for security reasons. The LDAP admin password is displayed in plain text. It should be masked out. I realize that you need to have openfire admin priveledges to view that page or the database, but once the source is accessed anyone walking by could read the value from a screen. or browser cache could be used to view it. Security of my network is of utmost importance.
Agreed, moving to 3.6.1.
This is related with JM-930. I agrre that this is a critical bug. See comments that are made under JM-930.
This issue violates PCI (payment card industry https://www.pcisecuritystandards.org) standards and affects any business that collects credit cards.
It most likley violates HIPPA (privacy in medical records) as well.
OpenFire is a great tool that I would love to roll out to agents in my center, however use would not be allowed because passwords are exposed.
Other tools that require active directory authentication like SAMBA don't have this problem.
Openfire masks all values for properties if the property name includes password, passwd or cookieKey. The matches needed to be case sensitive, which is why ldap.adminPassword (note the capital P) did not match. I made a modification that will allow case-insensitive matching.