To check a password, an application either requests a compare operation of the ‘userPassword’ attribute, or performs a bind operation using clear password authentication. The DSA then hashes (encrypts) the candidate password and compares it with the value saved in the stored directory.
When a password is stored in a directory (add or modify of userPassword), the hashing algorithm that is applied is configured using the set password-storage command. Default: Salted SHA-512
To assist with migration from Active Directory, you can load passwords that are hashed using the NT/NTLM algorithms using dxloaddb. Prefix the userPassword values using the {NT} or {NTLM} labels, respectively.
Example:
userPassword: {NTLM}Afxaa+e8aSmq07Q1tRQE7g==
userPassword: {NT}DLaUiAX3l78qgoB5c7iVNw==
This example supports operations and authentication without requiring all migrated users to change their passwords. When a password is modified, the algorithm moves it from NT/NTLM to the configured password-storage method.
|
Copyright © 2013 CA.
All rights reserved.
|
|