Migration of Credentials from third party to OpenDJ

Home Forums ForgeRock Products Directory Services Migration of Credentials from third party to OpenDJ

Learn more about our upcoming Identity Summits

Tagged: ,

This topic has 4 replies, 3 voices, and was last updated 7 months ago by nhazari_vz.

  • Author
    Posts
  • March 12, 2020 at 5:58 pm #27738
     nhazari_vz
    Participant

    Our existing credential store encodes passwords using the hashing algorithm SCRYPT. Does OpenDJ / OpenAM support any native mechanism of migrating (in bulk) credentials/passwords that are encoding using SCRYPT?

    More generally, looking for guidance and best practices around migration of credentials from existing third-party credential store to OpenDJ 6.5.x.

    March 13, 2020 at 9:15 am #27739
     JnRouvignac
    Participant

    Generally speaking, importing data (as LDIF) with pre-encoded passwords is supported. The passwords will be understood by the server as long as there is a corresponding password storage scheme implemented in DS.

    That being said, we do have support for bcrypt today but not scrypt.
    To support scrypt, you would need to implement an scrypt password storage scheme, drop the jar in DS and enable it in your
    You would have to write a custom password storage scheme for scrypt. You can use the example-pwdscheme.zip as a base (embedded in DS-6.5.0.zip). Here is a more general documentation about server plugins:
    https://backstage.forgerock.com/docs/ds/6.5/dev-guide/#try-example-plugin

    • This reply was modified 7 months, 1 week ago by JnRouvignac.
    March 17, 2020 at 5:11 pm #27745
     nhazari_vz
    Participant

    Thank you, this helps.

    March 19, 2020 at 4:18 pm #27748
     Andy Cory
    Participant

    We recently had a very similar requirement with regard to passwords from another directory being imported pre-encoded into DS – v6.0 in our case. In our case there were two legacy schemes in the export from the other directory, one of which was unsalted SHA512. This is also not supported by DS out of the box, but we followed exactly the process described by Jean-Noel with a successful outcome.

    -Andy

    March 20, 2020 at 8:02 am #27749
     nhazari_vz
    Participant

    Our challenge presently is not so much importing a structured hashing algorithm / password scheme into DS, rather writing a brand new hashing algo (i.e. a modified version of SCRYPT). There is close to zero relevant documentation on this outside of ForgeRock Backstage.

    A SCRYPT hashing algo would be defined like this..
    Example only:
    scrypt: {hashAlgorithm=SCRYPT, rounds=8, signerKey=a2V5MTI0NQ==, memoryCost=14, saltSeparator=c2VwYXJhdG9yMTI0NQ==}

    There are numerous (many dated) implementations that can be found, but none that relatively easily translates in the way ForgeRock expects in the example-pwdscheme.

    I was curious to know if anyone in the community has successfully imported specifically version of SCRYPT (as the one used by Google’s Firebase.)

    Thanks.
    Nasim

  • Author
    Posts
Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

Leaderboard

The leaderboard is based on our rockin' informal points system, read about it here.
Visit our blog

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?