Administration Guide › Manage User Accounts and Passwords › Administer Passwords › Encrypt Passwords Stored in the Directory

Encrypt Passwords Stored in the Directory

User accounts are entries in the directory with the userPassword attribute.

By default, the passwords stored in the userPassword attribute are encrypted using SHA-1.

However, you can use a different encryption scheme to encrypt these passwords. To do this, you need to create a password rule that specifies the encryption scheme. Each password is encrypted with the new scheme when it is next updated.

To use a different encryption scheme for the userPassword attribute

1. Add the following command to the dsaname.dxc file:

   set password-storage = sha-1 | md5 | ssha-1 | crypt | none;
   

2. Stop and start the DSA.

   When each password is next updated, it is encrypted using the new encryption scheme.

Example: Convert to the SSHA-1 Encryption Scheme

This example shows how to convert the passwords in the Democorp DSA from SHA-1 to SSHA-1.

In this example, the details are as follows:

• Old encryption scheme: SHA-1
• New encryption scheme: SSHA-1
• Democorp host: host23
• Democorp port number: 19389
• Name and password of the user who is authorized to change passwords: AdminUser, adminpassword

Follow these steps:

1. Ensure that the Democorp DSA is running.
2. Search the DSA for all passwords encrypted using SHA-1, using the following command:

   dxsearch -b "(o=democorp, c=au)" -s sub -D "{cn=AdminUser}" -w adminpassword -h host23 -p 19389 (userPassword={SHA}*) dn > sha-1.ldif
   

   This returns the entries in which the password is currently encrypted using SHA-1, and writes the results to the file sha-1.ldif.

3. Add the following command to the democorp.dxc file:

   set password-storage = ssha-1;
   

4. Stop and start the Democorp DSA.

   Each password is encrypted using the new encryption scheme the next time it is updated.

   To update all of the passwords now, follow the remaining steps.

5. Open the file sha-1.ldif in a text editor.
6. For each DN in the file, follow these steps:
   1. Add the text dn: to the beginning of each DN.
   2. Add the following lines below each DN:

      	changetype: modify 
      	replace: userPassword 
      	userPassword: new-password
      

   Replace new-password, with the actual new password for each entry.

7. Save the changed LDIF file.
8. Ensure that the Democorp DSA is running.
9. Load the file into the DSA using the following command:

   dxmodify -r -c -h host23:19389 -D "{cn=AdminUser}" -w adminpassword -f sha-1.ldif
   

10. Confirm that the passwords have changed by performing another search for SHA-1 hashed passwords, using the following command:

    dxsearch -b {Base DN for search} -s sub -D "{cn=AdminUser}" -w adminpassword -h host23:19389 (userPassword={SHA}*) dn"
    

    The search result should show that no passwords are now encrypted with SHA-1.

11. Confirm that the passwords are encrypted with SSHA-1 by repeating the search for SSHA-1 passwords:

    dxsearch -b {Base DN for search} -s sub -D "{cn=AdminUser}" -w adminpassword -h host23:19389 (userPassword={SSHA}*) dn"