Customized Password Storage Scheme

This topic has 12 replies, 5 voices, and was last updated 4 years, 9 months ago by [email protected].

  • Author
  • #4176
     Juan Carlos

    I want to create a new password storage scheme with a new algorithm I created to store passwords, I’m not using default password algorithms.

    What is the best way to get this? I know in Sun Java Directory Server it was done with some sort of plugin when a new algorithm was implemented but I just want to know what is the best recommendation with OpenDJ 2.6.0.

    Thank you


    In OpenDJ, all password storage scheme are implementing an interface, a pretty simple one.
    You might want to look at OpenDJ server code, the extensions folder and copy one of the scheme as a base for yours.
    Password Storage Scheme can have configuration and need to be declared in the configuration, so a custom storage scheme will need it configuration description in xml, to automatically generate the dsconfig client and server code.


    I too have a need for a custom password storage scheme. I have written code that extends PasswordStorageScheme but I cannot find any documentation on how to install and configure it. Attempts to use dsconfig create-password-storage-scheme to configure it have not been successful.

    Does this documentation exist? If not, can you provide that information to the masses?


    I’m afraid this specific part has not been documented.
    But a custom password storage scheme should be installed like any extension (and this is documented in the plugin example delivered with OpenDJ).


    I do not find the existence of the plugin sample source to be useful in solving my problem. For starters, you can’t build the example as it references things that are not in your repository.

    Furthermore, it is entirely unclear how a “plugin” becomes available as a custom password scheme. ExamplePlugin extends DirectoryServerPlugin and handles the STARTUP plugin type. None of the defined plugin types appear to be related to password processing. Also, none of your predefined password storage schemes are implemented as plugins.


    Sorry if I wasn’t clear. I didn’t say that custom password storage schemes were “plugin”. I said that you install them the same way as a plugin, i.e place the jar file and dependencies in the lib/extensions/ directory.
    Also, we’ve changed a lot how to build extensions in between 2.6.x and 3.x versions. With 2.6, the build is based on Ant and extensions should be built along with the remaining of the server’s code.
    It’s much simpler starting with version 3.5 and a Maven build. But it’s still not documented (it should be with the next major release).


    Thank you Ludo for your assistance. Yesterday through experimentation I was able to add my custom scheme to the server as a extension, albeit with an error. My current hurdle is that a password scheme must reference a configuration class:

    public class MyStorageScheme extends PasswordStorageScheme<MyStorageSchemeCfg>

    I don’t need any configurable parameters (other than the standard enabled and java-class), and I don’t need localization like you do in your built-in scheme configurations, so this should be easy. I’ve tried reusing an existing config class and using my own, but I can’t seem to get the server to pass the right configuration class to my -type custom scheme.


    As far as I know, custom is not a valid type for a password storage scheme (at least not with dsconfig).


    I only knew of the custom type because of the dsconfig create-password-storage-scheme help message:

    -t, –type {type}
    The type of Password Storage Scheme which should be created. The value for
    TYPE can be one of: aes | base64 | bcrypt | blowfish | clear | crypt |
    custom | md5 | pbkdf2 | pkcs5s2 | rc4 | salted-md5 | salted-sha1 |
    salted-sha256 | salted-sha384 | salted-sha512 | sha1 | triple-des

    I was able, however, to finally accomplish what I wanted to do. I took longer than I should have because I was sidetracked by some of the things I tried. Here are the steps that worked for me:

    1 – Write a custom storage scheme that uses an existing password storage config (salted-sha1 in this case). The class declaration was public class MyStorageScheme extends PasswordStorageScheme<SaltedSHA1PasswordStorageSchemeCfg>
    2 – Place a JAR containing my scheme (and other dependency JARS) in OpenDJ’s lib/extensions directory
    3 – Install my password storage scheme with a command like this:

    dsconfig –bindPassword ******* -D “cn=Directory Manager” –trustAll -h localhost -p 4444 create-password-storage-scheme –scheme-name MyScheme –type salted-sha1 –set enabled:true –set java-class:com.something.MyStorageScheme

    I didn’t solve the issue of how to use my own custom configuration class but that wasn’t necessary in this example. Thanks for your help Ludo.


    I found this post very helpful. I need to do something similar. I’m a little confused about where to find the required jars to build my extension. Ludo, you mention this can be done through Maven for newer versions of OpenDJ. Is this the repository we would use to find the dependencies: ?

    If there is any draft documentation about building the custom password scheme, I would appreciate it. We’re looking to extend the SaltedSHA256PasswordStorageSchemeCfg for importing credentials from an outside system that used a slightly different hashing scheme.



    @andrew-schoewemsci-com If you are a customer, you should find the information about the repository with the appropriate dependencies in the Knowledge Base on BackStage.
    I’ve started documenting how to build a custom password scheme (as a side project), there is no ETA yet, but it’s very similar to writing a plugin, except that it extends the PasswordStorageScheme interface.


    @ludo: Has this documentation been completed. We are a new user of ForgeRock and will be transitioning our users from an in-house written solution to ForgeRock. With this we need to maintain our algorithm and I would greatly appreciate seeing documentation on how this is done.


    Here is the article on the different password schemes….

    But that’s different than the process/dependencies needed to build your own password scheme plugin.

Viewing 13 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?