Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.
The Salted SHA1 Password Storage Scheme provides a mechanism for encoding user passwords using a salted form of the SHA-1 message digest algorithm.
NOTE: Although the SHA-1 message digest algorithm is not necessarily considered insecure, attacks against this digest have identified weaknesses and it is not recommended for use in new deployments. Rather, a stronger algorithm (e.g., one based on one of the 256-bit, 384-bit, or 512-bit SHA-2 variants, or one using a resource-intensive algorithm like PBKDF2, Bcrypt, or scrypt) should be selected. If you are migrating data that contains passwords encoded with the SHA-1 digest, you may wish to update all relevant password policies to mark this scheme as deprecated so that any user with a password encoded with this scheme will have their password automatically re-encoded whenever they successfully authenticate to the server.
This scheme contains an implementation for the user password syntax, with a storage scheme name of "SSHA", and an implementation of the auth password syntax, with a storage scheme name of "SHA1".
The Salted SHA1 Password Storage Scheme component inherits from the Password Storage Scheme
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| description | None |
| enabled | |
| salt-length-bytes |
| Description | A description for this Password Storage Scheme |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether the Salted SHA1 Password Storage Scheme is enabled for use. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | Although the SHA-1 message digest algorithm is not necessarily considered insecure, attacks against this digest have identified weaknesses and it is not recommended for use in new deployments. Rather, a stronger algorithm (e.g., one based on one of the 256-bit, 384-bit, or 512-bit SHA-2 variants, or one using a resource-intensive algorithm like PBKDF2, Bcrypt, or scrypt) should be selected. If you are migrating data that contains passwords encoded with the SHA-1 digest, you may wish to update all relevant password policies to mark this scheme as deprecated so that any user with a password encoded with this scheme will have their password automatically re-encoded whenever they successfully authenticate to the server. |
| Description | Specifies the number of bytes to use for the generated salt. |
| Default Value | 8 |
| Allowed Values | An integer value. Lower limit is 1. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured Password Storage Schemes:
dsconfig list-password-storage-schemes
[--property {propertyName}] ...
To view the configuration for an existing Password Storage Scheme:
dsconfig get-password-storage-scheme-prop
--scheme-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Password Storage Scheme:
dsconfig set-password-storage-scheme-prop
--scheme-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...