Note: this component has a complexity level of "expert", which means that objects of this type are not expected to be created or altered. Please contact support for assistance if you believe that you have a need to create or modify this type of object.
The Argon2 Password Storage Scheme provides a mechanism for encoding passwords using the memory-hard Argon2 password hash and proof-of-work function, as described in draft-irtf-cfrg-argon2.
In the past, it was necessary to independently obtain the Bouncy Castle library and place it in the server's lib directory. This is no longer required, as the server ships with the necessary Bouncy Castle library.
This password storage scheme is not supported in servers running in FIPS 140-2-compliant mode.
↓Parent Component
↓Properties
↓dsconfig Usage
The Argon2 Password Storage Scheme component inherits from the Password Storage Scheme
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| ↓ description | None |
| ↓ enabled | |
| ↓ iteration-count | |
| ↓ parallelism-factor | |
| ↓ memory-usage-kb | |
| ↓ salt-length-bytes | |
| ↓ derived-key-length-bytes |
| Description | A description for this Password Storage Scheme |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether the Password Storage Scheme is enabled for use. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The number of rounds of cryptographic processing required in the course of encoding each password. Increasing this value makes the algorithm more computationally intensive, and thereby increases the cost of password-guessing attacks. However, it also limits the rate at which the server can encode passwords, which can adversely affect the performance of operations that require password encoding, as well as import performance for LDIF files that contain clear-text passwords. The value must be greater than or equal to 1 and less than or equal to 8,388,607. |
| Default Value | None |
| Allowed Values | An integer value. Lower limit is 1. Upper limit is 8388607 . |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The number of concurrent threads that will be used in the course of encoding each password. Increasing this value reduces the number of password encoding operations that may be processed concurrently, and thereby increases the cost of password-guessing attacks. However, it can also limit rate at which the server can encode passwords, which can adversely affect the performance of operations that require password encoding, as well as import performance for LDIF files that contain clear-text passwords. The value must be greater than or equal to 1 and less than or equal to 255. |
| Default Value | None |
| Allowed Values | An integer value. Lower limit is 1. Upper limit is 255 . |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The number of kilobytes of memory that must be used in the course of encoding each password. Increasing this value limits the number of password encoding operations thta may be processed concurrently. If too many password encoding attempts are in progress, the aggregate memory consumption may exceed the amount of memory available for the server to use. The value must be greater than or equal to 8 and less than or equal to 8,388,607. |
| Default Value | None |
| Allowed Values | An integer value. Lower limit is 8. Upper limit is 8388607 . |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The number of bytes to use for the generated salt. The salt introduces random data into the password encoding process. This means that repeated attempts to encode the same password will yield different outputs. A sufficiently large salt prevents pre-computed dictionary attacks by ensuring that the number of possible encoded representations of any single password is too large to feasibly generate. The value must be greater than or equal to 8 and less than or equal to 255. |
| Default Value | None |
| Allowed Values | An integer value. Lower limit is 8. Upper limit is 255 . |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The number of bytes to use for the derived key. The value must be greater than or equal to 8 and less than or equal to 512. |
| Default Value | None |
| Allowed Values | An integer value. Lower limit is 8. Upper limit is 512 . |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
To list the configured Password Storage Schemes:
dsconfig list-password-storage-schemes
[--property {propertyName}] ...
To view the configuration for an existing Password Storage Scheme:
dsconfig get-password-storage-scheme-prop
--scheme-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Password Storage Scheme:
dsconfig set-password-storage-scheme-prop
--scheme-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Argon2 Password Storage Scheme:
dsconfig create-password-storage-scheme
--scheme-name {name}
--type argon2
--set enabled:{propertyValue}
--set iteration-count:{propertyValue}
--set parallelism-factor:{propertyValue}
--set memory-usage-kb:{propertyValue}
--set salt-length-bytes:{propertyValue}
--set derived-key-length-bytes:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing Password Storage Scheme:
dsconfig delete-password-storage-scheme
--scheme-name {name}