Password storage schemes encode new passwords provided by users so that they are stored in an encoded manner. This makes it difficult or impossible for someone to determine the clear-text passwords from the encoded values. Password storage schemes also determine whether a clear-text password provided by a client matches the encoded value stored in the server.
OpenDJ offers a variety of both reversible and one-way password storage schemes. Some schemes make it easy to recover the clear-text password, whereas others aim to make it computationally hard to do so.
$ dsconfig list-password-storage-schemes --hostname opendj.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password Password Storage Scheme : Type : enabled ------------------------:---------------:-------- 3DES : triple-des : true AES : aes : true Base64 : base64 : true Blowfish : blowfish : true Clear : clear : true CRYPT : crypt : true MD5 : md5 : true PBKDF2 : pbkdf2 : true RC4 : rc4 : true Salted MD5 : salted-md5 : true Salted SHA-1 : salted-sha1 : true Salted SHA-256 : salted-sha256 : true Salted SHA-384 : salted-sha384 : true Salted SHA-512 : salted-sha512 : true SHA-1 : sha1 : true
As shown in Procedure 11.1, “To Adjust the Default Password Policy”, the default password storage
scheme for users in Salted SHA-1. When you add users or import user entries
with userPassword values in clear text, OpenDJ hashes them
with the default password storage scheme. Root DN users have a different
password policy by default, shown in Procedure 11.5, “To Assign a Password Policy to a Group”.
The Root Password Policy uses Salted SHA-512 by default.
You change the default password policy storage scheme for users by changing the applicable password policy, as shown in the following example.
$ dsconfig set-password-policy-prop --hostname opendj.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --policy-name "Default Password Policy" --set default-password-storage-scheme:pbkdf2 --no-prompt
Notice that the change in default password storage scheme does not cause OpenDJ to update any stored password values. By default, OpenDJ only stores a password with the new storage scheme the next time that the password is changed.
OpenDJ prefixes passwords with the scheme used to encode them, which means it is straightforward to see which password storage scheme is in use. After the default password storage scheme is changed to PBKDF2, old user passwords remain encoded with Salted SHA-1.
$ ldapsearch
--port 1389
--bindDN uid=bjensen,ou=people,dc=example,dc=com
--bindPassword hifalutin
--baseDN dc=example,dc=com
"(uid=bjensen)" userPassword
dn: uid=bjensen,ou=People,dc=example,dc=com
userPassword: {SSHA}Rc3tkAj1qP5zGiRkwDIWDFxrxpGgO8Fwh3aibg==When the password is changed, the new default password storage scheme takes effect, as shown in the following example.
$ ldappasswordmodify
--port 1389
--bindDN "cn=Directory Manager"
--bindPassword password
--authzID "u:bjensen"
--newPassword changeit
The LDAP password modify operation was successful
$ ldapsearch
--port 1389
--bindDN uid=bjensen,ou=people,dc=example,dc=com
--bindPassword changeit
--baseDN dc=example,dc=com
"(uid=bjensen)" userPassword
dn: uid=bjensen,ou=People,dc=example,dc=com
userPassword: {PBKDF2}10000:O3V6G7y7n7AefOkRGNKQ5ukrMuO5uf+iEQ9ZLg==When you change the password storage scheme for users, realize that the user passwords must change in order for OpenDJ to encode them with the chosen storage scheme. If you are changing the storage scheme because the old scheme was too weak, then you no doubt want users to change their passwords anyway.
If however the storage scheme change is not related to vulnerability,
you can use the deprecated-password-storage-scheme
property of the password policy to have OpenDJ store the password in the new
format after successful authentication. This makes it possible to do password
migration for active users without forcing users to change their
passwords.
$ ldapsearch
--port 1389
--bindDN uid=kvaughan,ou=people,dc=example,dc=com
--bindPassword bribery
--baseDN dc=example,dc=com
"(uid=kvaughan)" userPassword
dn: uid=kvaughan,ou=People,dc=example,dc=com
userPassword: {SSHA}hDgK44F2GhIIZj913b+29Ak7phb9oU3Lz4ogkg==
$ dsconfig
set-password-policy-prop
--hostname opendj.example.com
--port 4444
--bindDN "cn=Directory Manager"
--bindPassword password
--policy-name "Default Password Policy"
--set deprecated-password-storage-scheme:"Salted SHA-1"
--no-prompt
$ ldapsearch
--port 1389
--bindDN uid=kvaughan,ou=people,dc=example,dc=com
--bindPassword bribery
--baseDN dc=example,dc=com
"(uid=kvaughan)" userPassword
dn: uid=kvaughan,ou=People,dc=example,dc=com
userPassword: {PBKDF2}10000:L4dCYqSsNnf47YZ3a6aC8K2E3DChhHHhpcoUzg==Notice that with deprecated-password-storage-scheme
set appropriately, Kirsten Vaughan's password was hashed again after she
authenticated successfully.
