ForgeRock Identity Platform
Does not apply to Identity Cloud

FAQ: Passwords in DS

Last updated Jan 12, 2023

The purpose of this FAQ is to provide answers to commonly asked questions regarding passwords in DS.

4 readers recommend this article

Frequently asked questions

Q. Can I change the password policy that applies to a user?

A. Yes, as a DS administrator, you can change the password policy that applies to a user.

See Assign Password Policies for further information.

Q. How do I reset the directory superuser's password?

A. You can reset the password for the directory superuser (uid=admin in DS 7 and later; cn=Directory Manager in DS 6.x) as described in the relevant documentation:

The superuser is stored in the rootUser.ldif file (located in the /path/to/ds/db/rootUser directory).

Q. Does DS have a maximum password length?

A. The password length in DS is determined by the password scheme being used. For example, the UNIX® crypt scheme only uses the first 8 characters for compatibility, whereas the SHA512 scheme (like most schemes) is not limited.

Q. What is the default password storage scheme used in DS?

A. The default password storage scheme depends on which version of DS you are using:

  • DS 7 and later: the password storage scheme for the Default Password Policy and Root Password Policy is PBKDF2-HMAC-SHA256 with 10 iterations. See Default Security Settings for further information.
  • DS 6.x: the default password storage scheme is as follows:
    • Normal users - Salted SHA-512.
    • root DN users - PBKDF2.

See Password Storage, How does DS (All versions) store password values? and Password Storage Scheme for more information on password hashing in DS including all the supported storage schemes.

Q. Can I import an LDIF file that contains pre-encoded passwords?

A. Yes, you can by setting the advanced password policy property: allow-pre-encoded-passwords. You can set this using dsconfig, for example:

  • DS 7.1 and later: $ ./dsconfig set-password-policy-prop --policy-name "Default Password Policy" --port 4444 --bindDN uid=admin --bindPassword password --advanced --set allow-pre-encoded-passwords:true --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --no-prompt
  • DS 7: $ ./dsconfig set-password-policy-prop --policy-name "Default Password Policy" --port 4444 --bindDN uid=admin --bindPassword password --advanced --set allow-pre-encoded-passwords:true --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --no-prompt
  • DS 6.x: $ ./dsconfig set-password-policy-prop --policy-name "Default Password Policy" --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --advanced --set allow-pre-encoded-passwords:true --trustAll --no-prompt

The pre-encoded passwords in the LDIF file must be in the correct format required by your password storage scheme. See How does DS (All versions) store password values? for further information.

If you try to import an LDIF file with pre-encoded passwords without setting this property to true, you will see the following error:

Pre-encoded passwords are not allowed for the password attribute userPassword

Q. Does DS support using multiple attributes for a password, for example, to allow different hashing algorithms?

A. No, DS only uses one attribute for a password, but you can configure which attribute is used, for example, userPassword. Additionally, you can have multiple values for this attribute, with each value having a different hashing algorithm as described in How do I add multiple values for the same password attribute using different hashing algorithms in DS (All versions)?

See Configure Password Policies for further information.

Q. When an account is locked, when are the lockout attributes (pwdAccountLockedTime and pwdFailureTime) reset?

A. These lockout attributes remain set until the user attempts to log in. If the user tries to log in within the lockout duration, they are denied access, but if they log in after the lockout duration has passed, their account is unlocked and the lockout attributes are reset.

What happens to a user’s ds-pwp-password-expiration-time attribute when the max-password-age property is updated?

A. The max-password-age property is a password policy property not a user entry attribute or property. A user entry has a ds-pwp-password-expiration-time attribute instead, which is linked to the max-password-age property.

When an admin updates the max-password-age property in a password policy, the ds-pwp-password-expiration-time attribute is automatically updated for any users who have been assigned that password policy. It is updated based on the new max-password-age in the password policy and the user's own pwdChangedTime attribute, that is:

max-password-age (password policy) + pwdChangedTime (user) = ds-pwp-password-expiration-time (user)

However, the calculation can be further complicated depending on the configuration and status of the expiration warning. For example, if the user has 10 days left and you have a 5 day warn time - then you change the maximum age from 40 to 30 days. In theory you would think you have 0 days left, but what would actually happen is the user would get their warning and then have a further 5 days until expiration.

Q. Can I define subentry based password validators or generators?

A. Yes, as of DS 7, DS servers support LDAP subentry password policies that match all features available in per-server password policies. See DS Subentry Password Policies for further information.

Resolved RFE: OPENDJ-286 (Finish implementation of password policy sub-entry support).

Q. Does DS support the two Behera password policy attributes to delay response for failed authentication: pwdMinDelay and pwdMaxDelay?

A. No. These attributes are introduced in version 10 of the Internet-Draft Password Policy for LDAP Directories and DS supports version 09.

Q. Where does DS define truststore files and passwords?

A. Truststores are used for public, signed certificates but there are also keystores, which are used for private keys.

By default, truststore and/or keystore files and passwords are stored in different stores depending on their purpose:

  • admin-truststore and admin-keystore for administration purposes.
  • truststore and keystore for everything else.
  • ads-truststore for replication purposes (DS 6.x only).

These files are located in /path/to/ds/config; ads-truststore is located in /path/to/ds/db/ads-truststore for new installs.

See Cryptographic Keys for further information.

Q. Can I decrypt a currently stored password?

A. No. Non-clear text passwords in DS are encrypted or hashed and cannot be reverse-engineered through any DS related process or by ForgeRock. For example a password hashed using the Salted SHA-512 scheme is stored as follows:

userPassword: {SSHA512}RypyBA65dxSQP0Zd2HZ2Ue7C2/FEQ/7YU0FU59jhD8kirLXToEaMelrY90/21QJcr3mfyB1KXPSZjCgq6OcQqIOsklOGlXOH

When a user authenticates, the given clear text password is processed using the same algorithms. DS compares the authentication password to the stored userPassword version. If the comparison is true, the user is authenticated.

See Also

How does DS (All versions) store password values?

FAQ: Installing and configuring DS

FAQ: Upgrading DS

FAQ: General DS

Passwords in DS

Related Training

ForgeRock Directory Services Core Concepts (DS-400)

Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.