Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.
PBKDF2 Password Storage Scheme provide password storage scheme implementations that use the PBKDF2 key derivation function as described in the PKCS#5 specification contained in RFC 2898.
The PBKDF2 Password Storage Scheme component inherits from the Password Storage Scheme
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| description | max-password-length |
| enabled | |
| digest-algorithm | |
| iteration-count | |
| salt-length-bytes | |
| derived-key-length-bytes |
| Description | A description for this Password Storage Scheme |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether the Password Storage Scheme is enabled for use. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the digest algorithm that will be used when encoding passwords. |
| Default Value | sha-1 |
| Allowed Values | sha-1 - Indicates that passwords should be encoded with PBKDF2WithHmacSHA1. sha-256 - Indicates that passwords should be encoded with PBKDF2WithHmacSHA256. sha-384 - Indicates that passwords should be encoded with PBKDF2WithHmacSHA384. sha-512 - Indicates that passwords should be encoded with PBKDF2WithHmacSHA512. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | In a topology with multiple server versions, you should choose a digest algorithm that is supported by all servers in the topology. If a server encounters a password encoded with an unsupported digest algorithm, it will be unable to use that password. |
| Description | Specifies the number of iterations to use when encoding passwords. The value must be greater than or equal to 1000. |
| Default Value | 10000 |
| Allowed Values | An integer value. Lower limit is 1000. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the number of bytes to use for the generated salt. The value must be greater than or equal to 8. |
| Default Value | 16 |
| Allowed Values | An integer value. Lower limit is 8. Upper limit is 127 . |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the number of bytes to use for the derived key. The value must be greater than or equal to 8. |
| Default Value | 32 |
| Allowed Values | An integer value. Lower limit is 8. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
max-password-length (Advanced Property)
| Description | Specifies the maximum allowed length, in bytes, for passwords encoded with this scheme, which can help mitigate denial of service attacks from clients that attempt to bind with very long passwords. This password storage scheme performs expensive cryptographic computation as a way to thwart brute force password-cracking attacks. However, this processing consumes server resources, at the possible expense of the server's ability to process other operations. The longer a provided password is, the more expensive it is to encode, or to verify whether a provided password matches a user's encoded password. Malicious clients may attempt to exploit that by providing very long passwords during authentication attempts. However, if the provided password is longer than the configured max-password-length value, then this password storage scheme will immediately reject it rather than perform that expensive computation. |
| Default Value | 200 |
| Allowed Values | An integer value. Lower limit is 1. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured Password Storage Schemes:
dsconfig list-password-storage-schemes
[--property {propertyName}] ...
To view the configuration for an existing Password Storage Scheme:
dsconfig get-password-storage-scheme-prop
--scheme-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Password Storage Scheme:
dsconfig set-password-storage-scheme-prop
--scheme-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new PBKDF2 Password Storage Scheme:
dsconfig create-password-storage-scheme
--scheme-name {name}
--type pbkdf2
--set enabled:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing Password Storage Scheme:
dsconfig delete-password-storage-scheme
--scheme-name {name}