Salted SHA1 Password Storage Scheme

Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.

The Salted SHA1 Password Storage Scheme provides a mechanism for encoding user passwords using a salted form of the SHA-1 message digest algorithm.

NOTE: Although the SHA-1 message digest algorithm is not necessarily considered insecure, attacks against this digest have identified weaknesses and it is not recommended for use in new deployments. Rather, a stronger algorithm (e.g., one based on one of the 256-bit, 384-bit, or 512-bit SHA-2 variants, or one using a resource-intensive algorithm like PBKDF2, Bcrypt, or scrypt) should be selected. If you are migrating data that contains passwords encoded with the SHA-1 digest, you may wish to update all relevant password policies to mark this scheme as deprecated so that any user with a password encoded with this scheme will have their password automatically re-encoded whenever they successfully authenticate to the server.
This scheme contains an implementation for the user password syntax, with a storage scheme name of "SSHA", and an implementation of the auth password syntax, with a storage scheme name of "SHA1".

Parent Component Properties dsconfig Usage

Parent Component

The Salted SHA1 Password Storage Scheme component inherits from the Password Storage Scheme

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
 description  None
 enabled
 salt-length-bytes

Basic Properties

description

Description
A description for this Password Storage Scheme
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

enabled

Description
Indicates whether the Salted SHA1 Password Storage Scheme is enabled for use.
Default Value
None
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
Although the SHA-1 message digest algorithm is not necessarily considered insecure, attacks against this digest have identified weaknesses and it is not recommended for use in new deployments. Rather, a stronger algorithm (e.g., one based on one of the 256-bit, 384-bit, or 512-bit SHA-2 variants, or one using a resource-intensive algorithm like PBKDF2, Bcrypt, or scrypt) should be selected. If you are migrating data that contains passwords encoded with the SHA-1 digest, you may wish to update all relevant password policies to mark this scheme as deprecated so that any user with a password encoded with this scheme will have their password automatically re-encoded whenever they successfully authenticate to the server.

salt-length-bytes

Description
Specifies the number of bytes to use for the generated salt.
Default Value
8
Allowed Values
An integer value. Lower limit is 1.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured Password Storage Schemes:

dsconfig list-password-storage-schemes
     [--property {propertyName}] ...

To view the configuration for an existing Password Storage Scheme:

dsconfig get-password-storage-scheme-prop
     --scheme-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Password Storage Scheme:

dsconfig set-password-storage-scheme-prop
     --scheme-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...