5 Replies Latest reply: Dec 4, 2012 1:55 PM by 802907 RSS

    pwd storage scheme for few users

    stan25
      Hello there,

      Our ODSEE7.0 has default pwd storage scheme SSHA (pwd-storage-scheme : SSHA ), but one of the application would like to use SHA1 scheme. So how do i make a change in LDAP with SHA1 as pwd scheme for userPassword?

      If i specify like below for ldapmodify, it did not work...

      dn: uid=testpwd,ou=clients,o=domain.com
      changetype: modify
      replace: userPassword
      userPassword: {SHA1} test123

      modifying entry uid=testpwd,ou=clients,o=domain.com

      if i do ldapsearch now, i get the following

      dn: uid=testpwd,ou=clients,o=domain.com
      userpassword: {SHA1} test123


      can anyone help on how to specify different pwd storage scheme for few users password.

      Thanks!
        • 1. Re: pwd storage scheme for few users
          Sylvain Duloutre-Oracle
          Hi

          Do you want to change the password storage scheme used by the directory server or do you want to be able to import passwords already hashed with SHA1 ?

          You can control which password storage scheme is used for a (set of) user entry by defining a new pasword policy for these users.
          The server autoimatically use the appropriate digest to store the password when it is changed or when the entry is created.

          More info about password policies is available at http://docs.oracle.com/cd/E20295_01/html/821-1220/bcapa.html#scrolltoc and http://docs.oracle.com/cd/E20295_01/html/821-1224/passwordstoragescheme-5dsat.html#SUNWDSEEREFMANpasswordstoragescheme-5dsat
          • 2. Re: pwd storage scheme for few users
            stan25
            I do not want to change the default pwd storage scheme which is already SSHA, however one application folks requesting to use SHA1 for their product users to use SHA1 as the pwd storage scheme for userpassword attribute. We don't have any pwd policy since SiteMinder is doing that task. My question is...

            1. I want to use SHA1 as the pwd scheme for only few users, rest of all users are using standard SSHA


            Thanks!
            • 3. Re: pwd storage scheme for few users
              802907
              Hi Stan,
              You will want to use a non-default password policy specifically to configure per-user password storage schemes as Sylvain described. This will not overlap with your Siteminder password policies, because IIRC Sitemainder has no control or visibility on the storage scheme. Looking at it another way, your current default Directory server password polocy is already controlling this configuration. The additional "password policy" is simply a more granular way to configure the same feature.
              • 4. Re: pwd storage scheme for few users
                stan25
                ok, i will try that. BTW, ODSEE does not support SHA1, i am seeing only these...

                LDAP7:
                -----
                pwd-supported-storage-scheme : CRYPT
                pwd-supported-storage-scheme : SHA
                pwd-supported-storage-scheme : SSHA
                pwd-supported-storage-scheme : NS-MTA-MD5
                pwd-supported-storage-scheme : CLEAR

                LDAP11.1.1.5.1:
                ---------------------
                pwd-supported-storage-scheme : CRYPT
                pwd-supported-storage-scheme : SHA256
                pwd-supported-storage-scheme : SHA512
                pwd-supported-storage-scheme : SHA
                pwd-supported-storage-scheme : SSHA
                pwd-supported-storage-scheme : SSHA256
                pwd-supported-storage-scheme : SSHA512
                pwd-supported-storage-scheme : CLEAR
                • 5. Re: pwd storage scheme for few users
                  802907
                  I'm pretty sure SHA is the same as SHA-1, you should try testing to make sure.