Migration of Credentials from third party to OpenDJ

This topic has 4 replies, 3 voices, and was last updated 1 week, 6 days ago by nhazari_vz.

  • Author
    Posts
  • #27738
     nhazari_vz
    Participant

    Our existing credential store encodes passwords using the hashing algorithm SCRYPT. Does OpenDJ / OpenAM support any native mechanism of migrating (in bulk) credentials/passwords that are encoding using SCRYPT?

    More generally, looking for guidance and best practices around migration of credentials from existing third-party credential store to OpenDJ 6.5.x.

    #27739
     JnRouvignac
    Participant

    Generally speaking, importing data (as LDIF) with pre-encoded passwords is supported. The passwords will be understood by the server as long as there is a corresponding password storage scheme implemented in DS.

    That being said, we do have support for bcrypt today but not scrypt.
    To support scrypt, you would need to implement an scrypt password storage scheme, drop the jar in DS and enable it in your
    You would have to write a custom password storage scheme for scrypt. You can use the example-pwdscheme.zip as a base (embedded in DS-6.5.0.zip). Here is a more general documentation about server plugins:
    https://backstage.forgerock.com/docs/ds/6.5/dev-guide/#try-example-plugin

    • This reply was modified 2 weeks, 6 days ago by JnRouvignac.
    #27745
     nhazari_vz
    Participant

    Thank you, this helps.

    #27748
     Andy Cory
    Participant

    We recently had a very similar requirement with regard to passwords from another directory being imported pre-encoded into DS – v6.0 in our case. In our case there were two legacy schemes in the export from the other directory, one of which was unsalted SHA512. This is also not supported by DS out of the box, but we followed exactly the process described by Jean-Noel with a successful outcome.

    -Andy

    #27749
     nhazari_vz
    Participant

    Our challenge presently is not so much importing a structured hashing algorithm / password scheme into DS, rather writing a brand new hashing algo (i.e. a modified version of SCRYPT). There is close to zero relevant documentation on this outside of ForgeRock Backstage.

    A SCRYPT hashing algo would be defined like this..
    Example only:
    scrypt: {hashAlgorithm=SCRYPT, rounds=8, signerKey=a2V5MTI0NQ==, memoryCost=14, saltSeparator=c2VwYXJhdG9yMTI0NQ==}

    There are numerous (many dated) implementations that can be found, but none that relatively easily translates in the way ForgeRock expects in the example-pwdscheme.

    I was curious to know if anyone in the community has successfully imported specifically version of SCRYPT (as the one used by Google’s Firebase.)

    Thanks.
    Nasim

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?