Migration issue with unsalted SHA512 passwords

This topic contains 4 replies, has 2 voices, and was last updated by  Andy Cory 3 weeks ago.

  • Author
    Posts
  • #25637
     Andy Cory 
    Participant

    I’m working on a project to migrate users from a CA SiteMinder backend into DS6 (which will be the user store supporting AM6). It’s early days, but I’ve got a very small sample data set from the SiteMinder guys containing the hashed passwords (and they have told me what the plaintext values are, which I won’t know when I get the live data) and am trying to import it into DS and bind afterwards. The issue is with the password hashes – they are either unsalted SHA1 or unsalted SHA512 depending on the age of the identity in SiteMinder. I’ve configured my dev DS instance to use PBKDF2 as the storage scheme, and support SHA as a deprecated scheme. That works as intended, importing my LDIF file with a value like userPassword: {SHA}+jCs+fTvr1iSMRbbTlQ98Qpf23M= results in the identity being created with an attribute value of {PBKDF2}10000:jaZ0lnQDxiyqmwcgz7l7t2T7kc512b6Vm8hH1w==, and I can bind as that user. I’m stuck with the SHA512 passwords, as that scheme doesn’t seem to be supported by DS, so I can’t configure it as a deprecated scheme. SSHA512 (i.e. salted) does, but that’s not what I have available. If I change the scheme referenced in the prefix in my import LDIF the import is fine, but the resulting PBKDF2 isn’t the same as that derived from the plaintext value when I bind. (No, I didn’t really expect it to be, but was willing to try anything!)

    Any ideas on how I could import unsalted SHA512 values to DS6? I really don’t want to have to force users to change their passwords if at all possible.

    -Andy

    #25638
     Andy Cory 
    Participant

    Oops, responding to myself because I forgot to tick the ‘Notify me of follow-up replies via email’ checkbox!

    #25641
     Ludo 
    Moderator

    It’s possible to write a custom password storage scheme that implements unsalted Sha512, and use it the same way as the sha1 one. DS 6.5 has a sample password storage scheme plugin that can be used as the framework to build the custom one.

    #25642
     Andy Cory 
    Participant

    Hi Ludo

    Thanks for the quick response. I’ve not looked at writing my own password scheme implementation, but I’ll take a look at the 6.5 sample – that’s a really helpful suggestion.

    -Andy

    #25705
     Andy Cory 
    Participant

    Update: we’ve written an unsalted SHA-512 storage scheme implementation based on the sample plug-in. It works perfectly. Thanks for the suggested solution!

    -Andy

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?