Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.
The Argon2i Password Storage Scheme provides a mechanism for encoding passwords using the memory-hard Argon2i password hash and proof-of-work function, as described in draft-irtf-cfrg-argon2.
There are three variants of the Argon2 algorithm: Argon2i, Argon2d, and Argon2id. The Argon2i variant offers better resistance to side-channel attacks. The Argon2d variant offers better resistance to GPU attacks. The Argon2id variant combines both approaches to offer a degree of resistance against both types of attacks, and is generally recommended for use when encoding passwords.
The Argon2i Password Storage Scheme component inherits from the Argon2 Password Storage Scheme
The properties supported by this managed object are as follows:
Basic Properties: | Advanced Properties: |
---|---|
description | None |
enabled | |
iteration-count | |
parallelism-factor | |
memory-usage-kb | |
salt-length-bytes | |
derived-key-length-bytes | |
encoded-password-cache-size |
Description | A description for this Password Storage Scheme |
Default Value | None |
Allowed Values | A string |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | Indicates whether the Password Storage Scheme is enabled for use. |
Default Value | None |
Allowed Values | true false |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | The number of rounds of cryptographic processing required in the course of encoding each password. Increasing this value makes the algorithm more computationally intensive, and thereby increases the cost of password-guessing attacks. However, it also limits the rate at which the server can encode passwords, which can adversely affect the performance of operations that require password encoding, as well as import performance for LDIF files that contain clear-text passwords. The value must be greater than or equal to 1 and less than or equal to 8,388,607. |
Default Value | None |
Allowed Values | An integer value. Lower limit is 1. Upper limit is 8388607 . |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | The number of concurrent threads that will be used in the course of encoding each password. Increasing this value reduces the number of password encoding operations that may be processed concurrently, and thereby increases the cost of password-guessing attacks. However, it can also limit rate at which the server can encode passwords, which can adversely affect the performance of operations that require password encoding, as well as import performance for LDIF files that contain clear-text passwords. The value must be greater than or equal to 1 and less than or equal to 255. |
Default Value | None |
Allowed Values | An integer value. Lower limit is 1. Upper limit is 255 . |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | The number of kilobytes of memory that must be used in the course of encoding each password. Increasing this value limits the number of password encoding operations thta may be processed concurrently. If too many password encoding attempts are in progress, the aggregate memory consumption may exceed the amount of memory available for the server to use. The value must be greater than or equal to 8 and less than or equal to 8,388,607. |
Default Value | None |
Allowed Values | An integer value. Lower limit is 8. Upper limit is 8388607 . |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | The number of bytes to use for the generated salt. The salt introduces random data into the password encoding process. This means that repeated attempts to encode the same password will yield different outputs. A sufficiently large salt prevents pre-computed dictionary attacks by ensuring that the number of possible encoded representations of any single password is too large to feasibly generate. The value must be greater than or equal to 8 and less than or equal to 255. |
Default Value | None |
Allowed Values | An integer value. Lower limit is 8. Upper limit is 255 . |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | The number of bytes to use for the derived key. The value must be greater than or equal to 8 and less than or equal to 512. |
Default Value | None |
Allowed Values | An integer value. Lower limit is 8. Upper limit is 512 . |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | The maximum number of Argon2-encoded passwords to cache for faster verification. The process for verifying Argon2-encoded passwords can be resource-intensive. To help reduce this cost, the first time a Argon2-encoded password is successfully verified, that password can be stored in the cache that maps the Argon2-encoded representation to a SSHA256-encoded representation, which is much faster to verify. When processing a bind request for a user with a Argon2-encoded password, this cache will first be checked to determine whether it includes that encoded password. If the password is in the cache, the provided password can be verified using the much faster SSHA256-encoded representation instead of the more expensive Argon2-encoded version. A value of zero indicates that no caching should be performed. |
Default Value | 10000 |
Allowed Values | An integer value. Lower limit is 0. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
To list the configured Password Storage Schemes:
dsconfig list-password-storage-schemes [--property {propertyName}] ...
To view the configuration for an existing Password Storage Scheme:
dsconfig get-password-storage-scheme-prop --scheme-name {name} [--tab-delimited] [--script-friendly] [--property {propertyName}] ...
To update the configuration for an existing Password Storage Scheme:
dsconfig set-password-storage-scheme-prop --scheme-name {name} (--set|--add|--remove) {propertyName}:{propertyValue} [(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Argon2i Password Storage Scheme:
dsconfig create-password-storage-scheme --scheme-name {name} --type {type} --set enabled:{propertyValue} --set iteration-count:{propertyValue} --set parallelism-factor:{propertyValue} --set memory-usage-kb:{propertyValue} --set salt-length-bytes:{propertyValue} --set derived-key-length-bytes:{propertyValue} [--set {propertyName}:{propertyValue}] ...
To delete an existing Password Storage Scheme:
dsconfig delete-password-storage-scheme --scheme-name {name}