Password Storage Schemes

I need to migrate an ldap store from legacy application into SunDS 5.2 or later. The passwords are stored in MD5 hash, however SunDS 5.2 doesn't support it anymore. Most DS don't support MD5 now-a-days. What could be a migration strategy without changing the passwords for all the users? How do I an one time import with passwords in MD5 format without changing them for the users?
Thanks
Sameer

AFAIK, migration of such hashed passwords is not possible.
If you are inclined, you could write a post-bind plugin for DS 5.2 and configure pass through the authentication to your legacy app. Once the login is successful, the plugin can write to the userpassword attribute which gets stored in the user's entry.

Similar Messages

  • HELP! with password storage scheme/deobfuscation

    Our company provides an LDAP lookup on company employees-which is great. However, it is up to me to come up with a reversible alogrithm that allows the password to be stored without being clear-obfuscation.
    The code supplied thus far is:
    package phonebook;
    * The Setup class is used to configure SSL parameters for connecting
    * to the directory.  It also provides a static main method for obtaining
    * the encrypted or obfuscated String version of a supplied password.
    * To obtain the obfuscated form of a password, run
    * java phonebook.setup obfuscate <some password>
    * The obfuscated passwords received can be placed in the
    * web.xml file as servlet parameters in order to avoid specifying
    * keystore and truststore passwords in clear text.
    class setup {
            setup() {};
            public static void main(String args[]) throws Exception {
                if (args[0] != null && args[0].equalsIgnoreCase("obfuscate"))  {
                        System.out.println("Obfuscation code needs to be implemented.");
            public static String deobfuscate(String s) {
                String output = s;
               //Implement deobfuscation function here to manipulate the output.
                return output;
    }I'm not really concerned how the algorithm works (ie. how it changes the password; for example turning letters into numbers, lowercase to upper case, etc). I basically just need to throw in a function that will obfuscate my password. Any help/examples are greatly appreciated!

    I still haven't been able to make any progress with this, and am now attempting to add lots of debug statements to my code so that I can see where the algorith is failing.
    The problem with this is that printf doesn't work due to the fact that the code isn't executed from the console, and I cannot get the output to log functions to work. These are the logging functions I have tried:
    slapi_log_info_ex(SLAPI_LOG_INFO_AREA_ALL, SLAPI_LOG_INFO_LEVEL_DEFAULT, SLAPI_LOG_NO_MSGID, SLAPI_LOG_NO_CONNID, SLAPI_LOG_NO_OPID, "MD5 PLUGIN", "In MD5Update, partLen is %i\n", partLen);
    slapi_log_warning_ex(-1, SLAPI_LOG_NO_MSGID, SLAPI_LOG_NO_CONNID, SLAPI_LOG_NO_OPID, "MD5 PLUGIN", "MD5 PLUGIN", "In MD5Update, partLen is %i\n", partLen);
    (where partLen is a valid integer).
    No errors are thrown either in compilation or execution, though these statements are not adding anything into the logs. I've ensure that all possible logging options are enabled by using the Sun One console.
    Does anyone know why these functions are not working, or of a way that I could send output elsewhere? My next thought is to try creating a text file and outputting to that.

  • Pwd-storage-scheme change (from CRYPT to SHA)

    Greetings;
    My pwd-storage-scheme (global-policy) is currently set to CRYPT, I am now required to change this to SHA.
    Most of my clients are Solaris, with a few RHEL (different flavors).
    What is the best way to make the above change?
    What effects, if any, will this have on my UNIX clients?
    Also, my pwd-compat-mode is set to "DS6-migration-mode", and I need to change this to "DS6-mode", would this cause any issues for me?
    I only have DS6 servers in my environment, no DS5 at all, and no other DS servers, although at some point I may wish to sync with AD.
    Thanks all,

    Hi,
    (Unix) Crypt is a one-way function, so plain text password is required to generate the SHA hash.
    You can change the password storage scheme to SHA, but passwords will be stored with SHA when users update their passwords. To speed up the process, you can configure password expiration or force users to change their passwords. Note that users with passwords stored in crypt format will still be able to authenticate even if password storage scheme is set to SHA. Said differently, different password storage schemes can cohabit across existing entries. Over time, every password will be stored with the configured password storage scheme as users update passwords.
    Ds6 password policy mode introduces new operational attributes in user entries. These new attr are generated when passwords are changed, so to have a fully featured password policy based on ds6-mode, you should 1/ move to migration mode 2/ have users update their passwords 3/ switch to ds6 mode . This admin action relates somehow to the switch CRYPT/SHA that already requite password changes.
    Note that there is a tool provided with ODSEE11gr2 that generates the appropriate operational password policy attr w/o requiring users to change their password. This might be an alternate solution if you have the right to use that version.
    HTH
    -Sylvain

  • How to protect Developer know Password of Schema in Production system?

    Hi, I'm newbies about Database Securities.
    My new job have environment about Client/Server by Oracle10gR2 working with Delphi Application.
    I found developer fixed schmea user/password on program code for connect to DB.
    So, Now password of Production Schema is same with Development Schema
    and Developer can access to Production environment.
    How to solve this situaltion?, I think maybe ever have best pratice for this.
    I think about keep password on other location and Application get to use for connect DB.
    Howerver, This way developer can coding for print out password to see it.
    Or maybe DBA must change fix password in Programmer coding before migrate to production (It's no good). To do that, DBA can change password of Production and Developerment to differrence.
    Now we protect this by trigger to fix about protect Developer connect DB by Tools (by osuser, machine and program filed in v$session). I know this can leak by change osuser, change exec name of Tools.
    Previouse job use Oracle DB with E-Business suite. It's no this problem cause of It's have interface to manage connection between App & DB.
    Thank you for every advice.
    Best Regards,

    Hi, I'm newbies about Database Securities.
    My new job have environment about Client/Server by Oracle10gR2 working with Delphi Application.
    I found developer fixed schmea user/password on program code for connect to DB.
    So, Now password of Production Schema is same with Development Schema
    and Developer can access to Production environment.
    How to solve this situaltion?, I think maybe ever have best pratice for this.
    I think about keep password on other location and Application get to use for connect DB.
    Howerver, This way developer can coding for print out password to see it.
    Or maybe DBA must change fix password in Programmer coding before migrate to production (It's no good). To do that, DBA can change password of Production and Developerment to differrence.
    Now we protect this by trigger to fix about protect Developer connect DB by Tools (by osuser, machine and program filed in v$session). I know this can leak by change osuser, change exec name of Tools.
    Previouse job use Oracle DB with E-Business suite. It's no this problem cause of It's have interface to manage connection between App & DB.
    Thank you for every advice.
    Best Regards,

  • Active Directory exports to OID (concerning password storage)

    I dont know if this is answered somewhere else but I am hoping to get an answer from people who have synchronized OID to active directory already.
    My question is do the AD passwords get stored in OID along with all the other user information during the sync? I know you must use an external plugin to authorize users against their passwords that come from AD.
    I am just curious about this since it will probably be an issue for me down the line. Thanks!

    Hi Seth
    Its your choice. If you are using the External Authentciation feature in OID it is not necessary to store AD passwords in OID.
    Keep this in mind about password synchronization between OID and AD. Currently all attributes are capable of two way synchronization between OID and AD except one. That is the users password. It is possible to synchronize a password from OID to AD but not from AD to OID.
    This is primarily becaue Microsoft uses proprietary password hashing called "Unicode Password Hash" which as I said is proprietary to Microsoft. OID like most other LDAP servers supports open source password hashing such as MD5, MD4, SHA, SSHA and Crypt to name a few. Microsoft does not support any of these to my knowledge. So even if you could pass a user password from Active Directory to OID OID does not support MS password hashing.
    We are however able to synchronize passwords from OID to AD over SSL. This is done with a feature called "Reversible Encrypted Password". By default this feature is turned off. When you enable this feature OID will store the users password in two different attributes. One is the traditional "userpassword" attribute which uses the hashing schemes I mentioned earlier. The other is a password attribute that stores the users password in an encrypted format that can be reversible to clear text. This clear text password can then be sent over SSL using a wallet to the AD server.
    In version 10.1.3 (Mid 2005)of OID we plan to release a feature that will allow passwords from AD to be synched with OID. Until then Passwords can only be synched from OID to AD.
    Jay

  • HTTP 404 error after changed tablespace and password of schema FLOWS_FILES

    Hi I have a problem of having HTTP 404 not found error for file upload in my apex app by submiting a page. When it goes to http://xxx.xxx.xxx:8080/apex/wwv_flow.accept after unlocked , changed password and change tablespace for the account FLOWS_FILES.
    Is there anyone can help ?
    Thanks in advance.

    Hi Scott,
    Yes, I have modified the bug tracker application to support file upload by using a file browser object and created a "file_upload" table under the workspace schema to keep the linkage with the table WWV_FLOW_FILE_OBJECTS$. The application works fine before but after I realize that the FLOWS_FILES schema can be unlocked and the free space in default tablespace SYSAUX has almost been used up more than 99%, so I first unlock the account FLOWS_FILES, then changed the password and move the table WWV_FLOW_FILE_OBJECTS$ to tablespace FLOW_1 and changed the default tablespace and then rebuilt the index. I have moved the table back to SYSAUX tablespace now and have rebuilt the index also. However, upload a file and then press 'apply change' in the 'create issue log details' page, it gets the error HTTP 404 but if I do not attach any file. It goes without an error. The only thing I changed is on the database side of the FLOWS_FILES schema, so I think the problem resides on it but I don't know why even I moved the table WWV_FLOW_FILE_OBJECTS$ back to SYSAUX, rebuilt the index but still it doesn't work.
    Is that good even explanation ?
    btw, I am using IIS and how can I see the webserver error ?
    Regards,
    Edward

  • Password Storage / Keychain...

    I recently upgraded to a new hard drive and then upgraded to leopard.
    In the process I lost some of my stored network passwords. How do I retrieve these files from the old hard drive?
    Specifically. When I travel home, my family has a diff network password (which was stored on my older drive but is no longer stored. Much help appreciated, thanks!

    Every time I start mail now I'm getting the password dialog at startup. If I enter the password and hit enter; it works. If I check the box to have it stored in my keychain, it fails.
    Here is the console output from that event:
    7/7/10 9:16:17 AM Mail[65181] Adding a Keychain item returned: -25299
    7/7/10 9:16:22 AM Mail[65181] Finding the password for [redacted] from the Keychain returned: -2147415734

  • The Norton password storage file is missing -- how do I get it on version 4?

    I have a "lockbox" from Norton, which has appeared on all prior versions of Firefox. It is the place that stores all my passwords and account logins. All I have to do is click on the icon, enter one password and the rest of my logins happen automatically whenever I visit a page. I cannot find it on the new FireFox 4. I'm going to go back to a prior version until this gets sorted out. It's not in the list of possible add-ons. I don't know enough to be able to figure out how to find it, let alone move it forward manually. Please help.

    Symantec have made an update for their add-ons to work in Firefox 4, but they need to correct a mistake they made with their add-ons to make it work in Firefox 4.0.1. They originally updated their add-ons after quite a delay to work with Firefox 4.0 as shown here - http://community.norton.com/t5/Norton-Internet-Security-Norton/Firefox-4-compatibility-hotfix-is-now-available/td-p/428894
    They made an error with the update in only listing it as compatible with Firefox 4.0, so they will not install on Firefox 4.0.1 and subsequent Firefox security updates. Symantec have indicated they will be releasing an update to correct their error soon. I don't know if this update has been released yet, for details see http://community.norton.com/t5/Norton-Internet-Security-Norton/Norton-Toolbar-not-compatible-with-FF-4-0-1/td-p/442788/page/12

  • Good ssh manager with password storage?

    Given the fact that I have to daily log in and off several machines, I am looking for a handy ssh manager that allows me to store passwords. It is useless for me to save some work of looking up IPs if I then have to go and look up passwords.
    I have no option of using auth keys, so the most straight forward way is that of storing passwords in some way.
    Do you know of any app or good way to do this?
    Thanks!

    SSH agent can cache the keys, but not automatically (believe me, I tried). Once you cache them they stay stored for as long as you're logged in to the client though.
    [stijn@hermes ~]$ ssh-add -l
    2048 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx /home/stijn/.ssh/id_rsa-amalthea (RSA)
    2048 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx /home/stijn/.ssh/id_rsa-zeus (RSA)
    This is how I have the ssh-agent starting up with my session (I use Openbox):
    This goes in your ~/.bashrc:
    SSHAGENT=/usr/bin/ssh-agent
    SSHAGENTARGS="-s"
    if [ -z "$SSH_AUTH_SOCK" -a -x "$SSHAGENT" ]; then
    eval `$SSHAGENT $SSHAGENTARGS`
    trap "kill $SSH_AGENT_PID" 0
    fi
    This goes in your ~/.logout file (necessary to kill the ssh-agent instance):
    if ( "$SSH_AGENT_PID" != "" ); then
    eval `ssh-agent -k`
    fi
    Last edited by B (2008-09-06 00:39:52)

  • Hashed (?) password storage

    Not sure if hashed is the right word to describe this question. Nonetheless, if not, please replace the word hash with whatever word you think is appropriate.
    So, still that registration form where a users needs to input some data, a.o. a password. Now I don't want the password to be stored in plain text, how can you hash a password to appear as a long string of characters in your mysql db table (using php)?
    As a result of that, how do you handle the 'password retrieval' function for that matter?
    Have googled the question but everything I came accross doesn't seem to do the trick.

    pearl_jan wrote:
     I don't want the password to be stored in plain text, how can you hash a password to appear as a long string of characters in your mysql db table (using php)? 
    As a result of that, how do you handle the 'password retrieval' function for that matter?
    The most common ways of doing this are to use md5() or sha1(). Simply pass the password as the argument to either function, and store the result in the database. Note that md5() always creates a 32-character string, and sha1() produces 40 characters, so your password column must be the same width.
    Encrypting passwords with one of these hash functions is a one-way process. You can't decrypt the value once it has been encrypted. When you log in a user, you pass the submitted value to the same function, and compare the result with the value stored in the database.
    Because it's a one-way process, you can't retrieve a "lost password". A new password needs to be created.

  • Passwords storage

    Where my passwords are stored in iOS 7 ?

    And the wpa keys for wifi connections ; where can I find them ?

  • Windows Bitlocker and automatic unlock password storage safety

    I've encrypted my external HDD with a Bitlocker and after rebooting computer I tried to open that drive and got this message:
    Say, if I pick to "Automatically unlock on this computer from now on", does this mean that Windows will store my password somewhere in the registry?
    PS. Or, are they smart enough to store only the hash -- preferably salted?

    I think Windows will save and encrypt password as well as other information of the drive.
    Niki Han
    TechNet Community Support

  • Password Storage

    Hi,
    Another question from me (another beginner mac user)....
    Is there anywhere you can store passwords on the computer safely? I don't want to put everything as being able to automatically recognise me - more just want somewhere safe to store passwords for various things incase I forget. I've read about keychain on the support pages but a) don't seem to see a 'utilities' folder in the 'applications' folder b) not sure it's what I'm looking for anyway... is there a freeware program or widget that people may recommend?
    Thank in advance,
    Jenny

    I've read about keychain on the support pages but a) don't seem to see a 'Utilities' folder in the 'Applications' folder
    It has to be there. Try Command-Shift-U
    b) not sure it's what I'm looking for anyway.
    It is designed exactly for storing passwords.

  • XI database adapter password storage

    When we enter a database password in a communication channel where is the password stored behind the scenes and is it encrypted?

    Hi Dave Herrick,
    This PDF file will help you
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/b2e7020d-0d01-0010-269c-a98d3fb5d16c
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/c4154b46-0a01-0010-fbb4-dae617b225b6
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/37bef2c0-0d01-0010-58ac-d1286bb09b6e
    Regards
    Agasthuri Doss

  • New gateway password storage

    Does anyone know how to store the password to the gateway wifi to my computer it keeps dropping me and i have to type it in every time 

    Can you please tell me the format and the size of the image?

Maybe you are looking for

  • No HDMI audio out after Windows 7 Upgrade

    I have a DV4-1123US with an Intel Integrated Graphics Card(X4500, I think), and Intel High Definition Audio HDMI.  After upgrading to Win7, there is now no longer an option to set HDMI to use as audio.  In other words, HDMI no longer shows up in the

  • HT4889 How can I use all files from every user on my mac?

    Is there a way I can share all of the files on my computer to where every user on one computer can access files from one user to another? All help is appreicated!

  • Single directory Server for Messaging and Portal

    We are trying to unify our directory services. At present, there two directory servers, one for iPlanet messaging 5.2 and another for Portal server 6.0. Messaging's Directory server is v5.1 and Portal's Directory server is v5.2. Their BaseDN is same.

  • Final Cut Pro for PowerPc G3 Mac

    is there Final Cut Pro for PowerPc G3 Mac, Im pretty sure I need version 2.0, so please comment a download like, or comment if you know anything, thanks

  • How to Set Default Open With?

    Bridge keeps opening my .png screen shot files with Fireworks, I want them to open in Photoshop - CS4. The .png file icons defaults are set to open with Ps. Bridge> Preferences> File Type Associations don't even list .png (if that is the place to do