passwordStorageScheme

- Sun ONE defined password policy attribute type

Synopsis

( 2.16.840.1.113730.3.1.221
 NAME 'passwordStorageScheme'
 DESC 'Sun ONE defined password policy attribute type'
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
 X-DS-USE 'internal'
 X-ORIGIN 'Sun ONE Directory Server' )

Description

Specifies the algorithm used to hash Directory Server passwords. The default password storage scheme is the Salted Secure Hash Algorithm (SSHA).

The following hash types are supported:

• SSHA (Salted Secure Hash Algorithm) is the recommended method as it is the most secure.

• SHA (Secure Hash Algorithm) a version in use before SSHA.

• CRYPT is the UNIX crypt algorithm. It is provided for compatibility with UNIX passwords and supports MD5, Blowfish, and other strong algorithms. To specify the algorithm used, give the format of the salt in the nsslapd-plugingarg()() argument as follows:

  nsslapd-pluginarg(): value()

  The value is in the snprintf format corresponding to specific salt formats. For example, some of the formats supported include %.2s, $1$%.8s, $2a$04$%.22s, and $md5$%.8s$. If the string value maps to an algorithm that is not supported by the operating system, then a warning message is logged and the hash will be made using the default UNIX algorithm with a salt made of 31 random characters.

If this attribute is set to CLEAR, passwords are not encrypted and appear in plain text.

You can extend how password attributes are stored by writing your own password storage scheme plug-in.

SYNTAX

Directory String, multi-valued.

Usage

Attribute specific to this Directory Server instance and version of the schema.

Examples

passwordStorageScheme: CLEAR

Attributes

See attributes(5) for descriptions of the following attributes: