Administration Guide › Manage User Accounts and Passwords › Administer Passwords › Choose an Encryption Method for Passwords Stored in a DSA

Choose an Encryption Method for Passwords Stored in a DSA

User accounts are entries in the directory with the userPassword attribute.

By default, the passwords stored in the userPassword attribute are encrypted using SHA-1.

However, you can use a different encryption scheme to encrypt these passwords. To do this, you need to create a password rule that specifies the encryption scheme. Each password is encrypted with the new scheme when it is next updated.

To choose a encryption method for passwords stored in a DSA

1. Ensure that the DSA is running.
2. Add the following command to the dsaname.dxc file:

   set password-storage = sha-1 | sha-512 | md5 | ssha-1 | crypt | none;
   

3. Stop and start the DSA.

   Passwords that have already been encrypted are not updated automatically. The next time that a password is updated, it is encrypted using the new scheme.

More information:

DXmodify Tool—Add New or Changed Information to a Directory

Convert Passwords Already in a DSA to a New Encryption Method

If you change the encryption method for passwords in a DSA that already has encrypted passwords, these are not automatically updated. Although new passwords will be encrypted using the new method, existing passwords will use the old method.

To convert the encryption method for passwords already in a DSA

1. Choose an encryption method for passwords stored in a DSA.
2. Search the DSA for all passwords encrypted using the old encryption method, and write the results to an LDIF file.
3. Open the LDIF file in a text editor and make the following changes:
   1. Add the text dn: to the beginning of each DN.
   2. Add the following lines below each DN:

      	changetype: modify 
      	replace: userPassword 
      	userPassword: new-password
      

   Replace new-password with the actual new password for each entry.

4. Save the changed LDIF file.
5. Load the LDIF file into the DSA using the DXmodify tool.
6. Use the DXsearch tool to confirm that no passwords are encrypted using the old method, and also that passwords are now encrypted using the new method.

Example: Convert to the SSHA-1 Encryption Scheme

This example shows how to convert the passwords in the Democorp DSA from SHA-1 to SSHA-1.

In this example, the details are as follows:

• Old encryption scheme: SHA-1
• New encryption scheme: SSHA-1
• Democorp host: host23
• Democorp port number: 19389
• Name and password of the user who is authorized to change passwords: AdminUser, adminpassword

Follow these steps:

1. Ensure that the Democorp DSA is running.
2. Search the DSA for all passwords encrypted using SHA-1, using the following command:

   dxsearch -b "(o=democorp, c=au)" -s sub -D "{cn=AdminUser}" -w adminpassword -h host23 -p 19389 (userPassword={SHA}*) dn > sha-1.ldif
   

   This returns the entries in which the password is currently encrypted using SHA-1, and writes the results to the file sha-1.ldif.

3. Add the following command to the democorp.dxc file:

   set password-storage = ssha-1;
   

4. Stop and start the Democorp DSA.

   Each password is encrypted using the new encryption scheme the next time it is updated.

   To update all of the passwords now, follow the remaining steps.

5. Open the file sha-1.ldif in a text editor.
6. For each DN in the file, follow these steps:
   1. Add the text dn: to the beginning of each DN.
   2. Add the following lines below each DN:

      	changetype: modify 
      	replace: userPassword 
      	userPassword: new-password
      

   Replace new-password with the actual new password for each entry.

7. Save the changed LDIF file.
8. Ensure that the Democorp DSA is running.
9. Load the file into the DSA using the following command:

   dxmodify -r -c -h host23:19389 -D "{cn=AdminUser}" -w adminpassword -f sha-1.ldif
   

10. Confirm that the passwords have changed by performing another search for SHA-1 hashed passwords, using the following command:

    dxsearch -b {Base DN for search} -s sub -D "{cn=AdminUser}" -w adminpassword -h host23:19389 (userPassword={SHA}*) dn"
    

    The search result should show that no passwords are now encrypted with SHA-1.

11. Confirm that the passwords are encrypted with SSHA-1 by repeating the search for SSHA-1 passwords:

    dxsearch -b {Base DN for search} -s sub -D "{cn=AdminUser}" -w adminpassword -h host23:19389 (userPassword={SSHA}*) dn"