Tuesday, December 10, 2013

Deprecated Password Storage Scheme

I know all along there is a default Password Storage Scheme in OpenDJ. However, I did not know there is a Deprecated Password Storage Scheme until I found out from Ludovic just now.

We were in a discussion on how to migrate users from OID to OpenDJ. I know the default userPassword hashing algorithm for Oracle Internet Directory has been changed from MD4 to SHA, while OpenDJ is using SSHA as the default password storage scheme.

I need a seamless way to migrate users over without having each user to change his/her existing password.

When you change the password storage scheme for users, realize that the user passwords must change in order for OpenDJ to encode them with the chosen storage scheme. If you are changing the storage scheme because the old scheme was too weak, then you no doubt want users to change their passwords anyway.  

If however the storage scheme change is not related to vulnerability, you can use the deprecated-password-storage-scheme property of the password policy to have OpenDJ store the password in the new format after successful authentication. This makes it possible to do password migration for active users without forcing users to change their passwords.

Bingo! Nice!


No comments:

Post a Comment