Tagged: Credential migration, SCRYPT
This topic has 4 replies, 3 voices, and was last updated 1 year ago by nhazari_vz.
-
AuthorPosts
-
March 12, 2020 at 5:58 pm #27738
nhazari_vz
ParticipantOur existing credential store encodes passwords using the hashing algorithm SCRYPT. Does OpenDJ / OpenAM support any native mechanism of migrating (in bulk) credentials/passwords that are encoding using SCRYPT?
More generally, looking for guidance and best practices around migration of credentials from existing third-party credential store to OpenDJ 6.5.x.
March 13, 2020 at 9:15 am #27739JnRouvignac
ParticipantGenerally speaking, importing data (as LDIF) with pre-encoded passwords is supported. The passwords will be understood by the server as long as there is a corresponding password storage scheme implemented in DS.
That being said, we do have support for bcrypt today but not scrypt.
To support scrypt, you would need to implement an scrypt password storage scheme, drop the jar in DS and enable it in your
You would have to write a custom password storage scheme for scrypt. You can use theexample-pwdscheme.zip
as a base (embedded inDS-6.5.0.zip
). Here is a more general documentation about server plugins:
https://backstage.forgerock.com/docs/ds/6.5/dev-guide/#try-example-plugin-
This reply was modified 1 year, 1 month ago by
JnRouvignac.
March 17, 2020 at 5:11 pm #27745nhazari_vz
ParticipantThank you, this helps.
March 19, 2020 at 4:18 pm #27748Andy Cory
ParticipantWe recently had a very similar requirement with regard to passwords from another directory being imported pre-encoded into DS – v6.0 in our case. In our case there were two legacy schemes in the export from the other directory, one of which was unsalted SHA512. This is also not supported by DS out of the box, but we followed exactly the process described by Jean-Noel with a successful outcome.
-Andy
March 20, 2020 at 8:02 am #27749nhazari_vz
ParticipantOur challenge presently is not so much importing a structured hashing algorithm / password scheme into DS, rather writing a brand new hashing algo (i.e. a modified version of SCRYPT). There is close to zero relevant documentation on this outside of ForgeRock Backstage.
A SCRYPT hashing algo would be defined like this..
Example only:
scrypt: {hashAlgorithm=SCRYPT, rounds=8, signerKey=a2V5MTI0NQ==, memoryCost=14, saltSeparator=c2VwYXJhdG9yMTI0NQ==}There are numerous (many dated) implementations that can be found, but none that relatively easily translates in the way ForgeRock expects in the example-pwdscheme.
I was curious to know if anyone in the community has successfully imported specifically version of SCRYPT (as the one used by Google’s Firebase.)
Thanks.
Nasim -
This reply was modified 1 year, 1 month ago by
-
AuthorPosts
You must be logged in to reply to this topic.