Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.
The Bcrypt Password Storage Scheme provides support for encoding passwords using the Bcrypt key derivation function. The string representation used by this password storage scheme is compatible with the format that OpenBSD uses for Bcrypt-encoded passwords, which has become the de facto string representation for Bcrypt-encoded passwords.
In the past, it was necessary to independently obtain the Bouncy Castle library and place it in the server's lib directory. This is no longer required, as the server ships with the necessary Bouncy Castle library.
This password storage scheme is not supported in servers running in FIPS-compliant mode.
The Bcrypt Password Storage Scheme component inherits from the Password Storage Scheme
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| description | None |
| enabled | |
| bcrypt-cost-factor | |
| encoded-password-cache-size |
| Description | A description for this Password Storage Scheme |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether the Password Storage Scheme is enabled for use. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the cost factor to use when encoding passwords with Bcrypt. A higher cost factor requires more processing to generate a password, which makes attacks against the password more expensive. The value must be between 4 and 31, inclusive. Increasing the cost factor by one doubles the amount of processing required to generate the password. |
| Default Value | 10 |
| Allowed Values | An integer value. Lower limit is 4. Upper limit is 31 . |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The maximum number of Bcrypt-encoded passwords to cache for faster verification. The process for verifying Bcrypt-encoded passwords can be CPU-intensive. To help reduce this cost, the first time a Bcrypt-encoded password is successfully verified, that password can be stored in the cache that maps the Bcrypt-encoded representation to a SSHA256-encoded representation, which is much faster to verify. When processing a bind request for a user with a Bcrypt-encoded password, this cache will first be checked to determine whether it includes that encoded password. If the password is in the cache, the provided password can be verified using the much faster SSHA256-encoded representation instead of the more expensive Bcrypt-encoded version. A value of zero indicates that no caching should be performed. |
| Default Value | 10000 |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured Password Storage Schemes:
dsconfig list-password-storage-schemes
[--property {propertyName}] ...
To view the configuration for an existing Password Storage Scheme:
dsconfig get-password-storage-scheme-prop
--scheme-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Password Storage Scheme:
dsconfig set-password-storage-scheme-prop
--scheme-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Bcrypt Password Storage Scheme:
dsconfig create-password-storage-scheme
--scheme-name {name}
--type bcrypt
--set enabled:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing Password Storage Scheme:
dsconfig delete-password-storage-scheme
--scheme-name {name}