Import users with pre-encoded passwords

This topic contains 4 replies, has 3 voices, and was last updated by  Bill Nelson 9 months ago.

  • Author
  • #14885

    Hi Forgerock team,
    I’m trying to import users from one open-dj server to another for that I have imported all user data in ldif and trying to import them but while doing so I encountered that I’m unable to use the same password that I have in the previous server.
    I have done the following changes before importing .
    1. In default password policy – allow-pre-encoded-passwords: true

    ldapmodify -p 1389 -D “cn=Directory Manager” -w password
    dn: uid=shahid,ou=People,dc=example,dc=com
    changetype: add
    objectClass: top
    objectClass: organizationalPerson
    objectClass: person
    objectClass: inetOrgPerson
    userPassword: {SSHA}e1NTSEF9TmZ5TzV2ZFJ3UVRHcXBha3hVT01oUWZNcWJLbnJ0ZFJLb0ZUeXc9PQ==

    Later I read some blogs saying that Open-DJ does some base64 encoding while importing passwords.
    Kindly help!!!

    • This topic was modified 9 months, 1 week ago by  sharad.jash.


    Could you please be more explicit with the problem you are encountering ?
    What do you mean by “unable to use the same password” ?


    Hi @ludo
    I meant that For e.g the user1 has password user123 in an encrypted format(as shown earlier)
    So when I’m importing user1 into second server with that per-encoded password,it is not accepting that password.

    the encoded password is different in both the systems.
    I hope you are able to get what I’m saying.

    Thanks for help…

    • This reply was modified 9 months, 1 week ago by  sharad.jash.

    How is the encoded password different ?
    How do you authenticate ?
    Have you checked the server’s access logs for the authentication attempt ? What is the exact error message ?

     Bill Nelson 


    You don’t mention how you are setting the allow-pre-encoded-passwords attribute to true in the password policy. Keep in mind that you cannot simply edit the config.ldif file and make this change (if that is how you are doing it).

    I can tell you that you are on the right track, however, and using the dsconfig command to set this attribute works just fine. I have used the following many many times to move hashed passwords from one LDAP server to another.

    /path/to/opendj/bin/dsconfig set-password-policy-prop –policy-name “Default Password Policy” –set allow-pre-encoded-passwords:true –hostname localhost –port 4444 –bindDN cn=”Directory Manager” –bindPassword password –trustAll –no-prompt

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2017 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?