Password Storage
To check a password, an application either requests a compare operation of the ‘userPassword’ attribute, or performs a bind operation using clear password authentication. The DSA then hashes (encrypts) the candidate password and compares it with the value saved in the stored directory.
cad
To check a password, an application either requests a compare operation of the ‘userPassword’ attribute, or performs a bind operation using clear password authentication. The DSA then hashes (encrypts) the candidate password and compares it with the value saved in the stored directory.
When a password is stored in a directory (add or modify of userPassword), the hashing algorithm that is applied is configured using the
set password-storage
command. Default:
Salted SHA-512To assist with migration from Active Directory, you can load passwords that are hashed using the NT/NTLM algorithms using dxloaddb. Prefix the userPassword values using the {NT} or {NTLM} labels, respectively.
Example:
userPassword: {NTLM}Afxaa+e8aSmq07Q1tRQE7g== userPassword: {NT}DLaUiAX3l78qgoB5c7iVNw==
This example supports operations and authentication without requiring all migrated users to change their passwords. When a password is modified, the algorithm moves it from NT/NTLM to the configured password-storage method.