Migration of Credentials from third party to OpenDJ

This topic has 4 replies, 3 voices, and was last updated 1 year ago by nhazari_vz.

  • Author
  • #27738

    Our existing credential store encodes passwords using the hashing algorithm SCRYPT. Does OpenDJ / OpenAM support any native mechanism of migrating (in bulk) credentials/passwords that are encoding using SCRYPT?

    More generally, looking for guidance and best practices around migration of credentials from existing third-party credential store to OpenDJ 6.5.x.


    Generally speaking, importing data (as LDIF) with pre-encoded passwords is supported. The passwords will be understood by the server as long as there is a corresponding password storage scheme implemented in DS.

    That being said, we do have support for bcrypt today but not scrypt.
    To support scrypt, you would need to implement an scrypt password storage scheme, drop the jar in DS and enable it in your
    You would have to write a custom password storage scheme for scrypt. You can use the example-pwdscheme.zip as a base (embedded in DS-6.5.0.zip). Here is a more general documentation about server plugins:

    • This reply was modified 1 year, 1 month ago by JnRouvignac.

    Thank you, this helps.

     Andy Cory

    We recently had a very similar requirement with regard to passwords from another directory being imported pre-encoded into DS – v6.0 in our case. In our case there were two legacy schemes in the export from the other directory, one of which was unsalted SHA512. This is also not supported by DS out of the box, but we followed exactly the process described by Jean-Noel with a successful outcome.



    Our challenge presently is not so much importing a structured hashing algorithm / password scheme into DS, rather writing a brand new hashing algo (i.e. a modified version of SCRYPT). There is close to zero relevant documentation on this outside of ForgeRock Backstage.

    A SCRYPT hashing algo would be defined like this..
    Example only:
    scrypt: {hashAlgorithm=SCRYPT, rounds=8, signerKey=a2V5MTI0NQ==, memoryCost=14, saltSeparator=c2VwYXJhdG9yMTI0NQ==}

    There are numerous (many dated) implementations that can be found, but none that relatively easily translates in the way ForgeRock expects in the example-pwdscheme.

    I was curious to know if anyone in the community has successfully imported specifically version of SCRYPT (as the one used by Google’s Firebase.)


Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?