Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.
The SHA1 Password Storage Scheme provides a mechanism for encoding user passwords using an unsalted form of the SHA-1 message digest algorithm. Because the implementation does not use any kind of salting mechanism, a given password always has the same encoded form.
NOTE: Although the SHA-1 message digest algorithm is not necessarily considered insecure, attacks against this digest have identified weaknesses and it is not recommended for use in new deployments. Rather, a stronger algorithm (e.g., one based on one of the 256-bit, 384-bit, or 512-bit SHA-2 variants, or one using a resource-intensive algorithm like PBKDF2, Bcrypt, or scrypt) should be selected. If you are migrating data that contains passwords encoded with the SHA-1 digest, you may wish to update all relevant password policies to mark this scheme as deprecated so that any user with a password encoded with this scheme will have their password automatically re-encoded whenever they successfully authenticate to the server.
This scheme contains only an implementation for the user password syntax, with a storage scheme name of "SHA".
The SHA1 Password Storage Scheme component inherits from the Password Storage Scheme
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| description | None |
| enabled |
| Description | A description for this Password Storage Scheme |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether the SHA1 Password Storage Scheme is enabled for use. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | Although the SHA-1 message digest algorithm is not necessarily considered insecure, attacks against this digest have identified weaknesses and it is not recommended for use in new deployments. Rather, a stronger algorithm (e.g., one based on one of the 256-bit, 384-bit, or 512-bit SHA-2 variants, or one using a resource-intensive algorithm like PBKDF2, Bcrypt, or scrypt) should be selected. If you are migrating data that contains passwords encoded with the SHA-1 digest, you may wish to update all relevant password policies to mark this scheme as deprecated so that any user with a password encoded with this scheme will have their password automatically re-encoded whenever they successfully authenticate to the server. |
To list the configured Password Storage Schemes:
dsconfig list-password-storage-schemes
[--property {propertyName}] ...
To view the configuration for an existing Password Storage Scheme:
dsconfig get-password-storage-scheme-prop
--scheme-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Password Storage Scheme:
dsconfig set-password-storage-scheme-prop
--scheme-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...