encode-password

The encode-password command encodes and compares user passwords.

This command is not supported for the proxy.

Synopsis

encode-password options

Description

The encode-password command can be used to interact with the password storage schemes defined in the directory server. It has three modes of operation:

List schemes mode. List the password storage schemes that are available in the directory server. In this mode, only the --listSchemes option is required.
Encode clear-text mode. Encode a clear-text password using a provided password storage scheme. In this mode, the --storageScheme option is required, along with a clear-text password either given as an option with --clearPassword or read from a file by using --clearPasswordFile.
Validate password mode. Determine whether a given clear-text password is correct for a provided encoded password. In this mode, both a clear-text password (either from --clearPassword or --clearPasswordFile) and an encoded password (either from --encodedPassword or --encodedPasswordFile) are required.

The set of authentication passwords available for use in the directory server can be retrieved from the supportedAuthPasswordSchemes attribute of the root DSE entry. You can use ldapsearch to view this information.

Options

The encode-password command accepts an option in either its short form (for example, -c clearPassword) or its long form equivalent (for example, --clearPassword clearPassword).

-a, --authPasswordSyntax: Use the Authentication Password Syntax (as defined in RFC 3112), which encodes values in a form scheme$authInfo$authValue. If this option is not provided, then the user password syntax (which encodes values in a form scheme$value will be used.
-c, --clearPassword clearPassword: Specify the clear-text password on which to operate when either encoding a clear-text password or comparing a clear-text password against an encoded password. This option must not be used in conjunction with --clearPasswordFile.
-e, --encodedPassword encodedPassword: Use the encoded password to compare against a given clear-text password. If the --authPasswordSyntax option is also provided, then this password must be encoded using the authentication password syntax. Otherwise, it should be encoded using the user password syntax. This option must not be used in conjunction with --encodedPasswordFile.
-E, --encodedPasswordFile encodedPasswordFile: Use the encoded password from the specified file to compare against a given clear-text password. If the --authPasswordSyntax option is also provided, then this password must be encoded using the authentication password syntax. Otherwise, it should be encoded using the user password syntax. This option must not be used in conjunction with --encodedPassword.
-f, --clearPasswordFile clearPasswordFile: Use the clear-text password from the specified file when either encoding a clear-text password or comparing a clear-text password against an encoded password. The option must not be used in conjunction with --clearPassword.
-i, --interactivePassword: The password to encode or to compare against an encoded password is interactively requested from the user.
-l, --listSchemes: Display a list of the password storage schemes that are available for use in the directory server. If the option is used by itself, it displays the names of the password storage schemes that support the user password syntax. If the option used in conjunction with --authPasswordSyntax, it displays the names of the password storage schemes that support the authentication password syntax.
-r, --useCompareResultCode: Use an exit code that indicates whether a given clear-text password matched a provided encoded password. If this option is provided, the directory server results in an exit code of 6 (COMPARE_TRUE) or an exit code of 5 (COMPARE_FALSE). Any other exit code indicates that the command failed to complete its processing to make the necessary determination. If this option is not provided, an exit code of zero will be used to indicate that the command completed its processing successfully, or something other than zero if an error occurred.
-s, --storageScheme storageScheme: Specify the name of the password storage scheme to use when encoding a clear-text password. If the --authPasswordSyntax option is provided, the value must be the name of a supported authentication password storage scheme. Otherwise, specify the name of a supported user password storage scheme.
-?, -H, --help: Display the command-line usage information for the command and exit immediately without taking any other action.
-V, --version: Display the version information for the directory server.

Examples

The following examples show how to use the directory server commands. You can use the commands on any UNIX, Linux, or Windows system that has at least the Java SE 5 (at least Sun version 1.5.0_08, preferably the latest version of Java SE 6) runtime environment installed on its target system. See Sun OpenDS Standard Edition System Requirements in Sun OpenDS Standard Edition 2.2 Installation Guide for more information.

Example 123

Listing the Storage Schemes on the Server

The following command lists the storage schemes (-l) available for use on the directory server.

$ encode-password -l
3DES
AES
BASE64
BLOWFISH
CLEAR
CRYPT
MD5
RC4
SHA
SMD5
SSHA
SSHA256
SSHA384
SSHA512

Example 124

Listing the Authenticated Passcode Syntax Storage Schemes on the Server

The following command lists the storage schemes (-l) that support the authentication passcode syntax (-a) on the directory server.

$ encode-password -l -a

MD5
SHA1
SHA256
SHA384
SHA512

Example 125

Encoding a Clear-Text Password to Another Scheme

The following command encodes a clear-text password (-c) using the specified scheme (-s).

$ encode-password -c opendsrocks -s MD5

Encoded Password:  "{MD5}AjxHKRFkRwxx3j9lM2HMow=="

Example 126

Encoding a Clear-Text Password to Another Scheme using the Authentication Password Syntax

The following command encodes a clear-text password (-c) using the specified scheme (-s) and the authentication password syntax (-a).

$ encode-password -c opendsrocks -s MD5 -a

Encoded Password:  "MD5$/imERhcEu3U=$AFqmpZi8EiTIvMFwkcrf8A=="

Example 127

Comparing a Clear-Text Password to an Encoded Password

The following command compares a clear-text password (-c) with an encoded password (-e). Do not include the password scheme (for example, MD5) in your encoded password.

$ encode-password -c opendsrocks -e "AjxHKRFkRwxx3j9lM2HMow==" -s MD5

The provided clear-text and encoded passwords match

Example 128

Comparing a Clear-Text Password to an Encoded Password and Return an Exit Code

The following command compares a clear-text password (-f) with an encoded password (-e) using the scheme (-s) and returns the exit code (-r) (6 for COMPARETRUE; 5 for COMPAREFALSE). Do not include the password scheme (for example, MD5) in your encoded password.

$ encode-password -c opendsrocks -e "AjxHKRFkRwxx3j9lM2HMow==" -s MD5 -r

The provided clear-text and encoded passwords match

echo $?
6

Example 129

Encoding a Password contained in a File using SSHA

The following command encodes a clear-text password in a file (-f) using the specified scheme (-s). For Windows platforms, specify the path to your clear-text password file (for example, -f \temp\testpassword):

$ encode-password -s SSHA -f /tmp/testpassword

Encoded Password:   "{SSHA}QX2fMu+2N22N9qI+zu6fIZxsBVID3EsUlYYEbQ=="

Exit Codes

Table 1

Exit Codes

Exit Code	Description
`0`	Operation completed successfully.
`1`	Error occurred during operation.
`5`	COMPARE_FALSE. Used with the `--r` or `--useCompareCodeResult` option, an exit code of `5` indicates a given clear-text password does not match the provided encoded password.
`6`	COMPARE_TRUE. Used with the `--r` or `--useCompareCodeResult` option, an exit code of `6` indicates that a given clear-text password matches the provided encoded password.

Location

UNIX and Linux: install-dir/bin/encode-password
Windows: install-dir\bat\encode-password.bat

Exit Print View
Sun OpenDS Standard Edition 2.2 Command-Line Usage Guide