This topic has 5 replies, 3 voices, and was last updated 4 years ago by Ludo.

  • Author
  • #23252


    Is there a way to configure the salt- and hash size (Nr. of bytes) for the PBKDF2 password scheme? Eg. 16Byte Salt and 32 Byte Hash. Or is there a custom plugin available which addresses this ?


     Chris Ridd

    Hi, unfortunately no – PBKDF2 will always create new values with a fixed size salt and hash (8 and 20)

    However it looks like it is able to compare passwords with values that have longer salts, if that helps.

    The PKCS5S2 scheme uses a longer salt and hash (16 and 32) but does not have configurable iterations. Maybe that’s another option for you.


    Hi Chris,

    Customer is using 16 Byte Salt, 32Byte Hash and 1000 iterations. So with option 1 I am hit with the salt and hash size. I thought about option 2 as well but there I cannot configure the iterations.
    Is the source code for the PBKDF2 storage scheme available so we can write a custom scheme?


    Which version of OpenDJ/Directory Services are you using?
    The storage schemes are depending on the Server’s APIs and thus are specific to a version.
    Note that the PBKDF2 storage scheme has a number of parameters that are implicit (such as hash length) and algorithm used (HMAC-SHA1). If you’re writing a custom storage scheme with different implicit parameters, you should create a new scheme (i.e. have a different {PREFIX}), so that there is no confusion about the value of stored passwords.


    We a using DS 6


    DS 6 ships with a sample Password Storage Scheme that gives a template to build custom ones.
    The PBKDF2 schema hasn’t changed much since we’ve introduced it, except for the server APIs it uses.
    You can find the source code for an older version in the Community Edition source code.
    I hope this helps.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?