How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I change a password storage scheme and apply a new password policy to users in DS (All versions)?

Last updated Jun 15, 2021

The purpose of this article is to provide assistance if you want to migrate users to a new password policy in DS. It also provides information on changing the storage scheme associated with a password policy (for example, from PBKDF2-HMAC-SHA256 to PBKDF2-HMAC-SHA512), without applying a new policy.

Overview

If you want to change the storage scheme associated with your password policy, you do not have to create a new password policy to achieve this nor do users necessarily have to change their passwords.

You have the following options if you want to change the storage scheme (without creating a new policy): 

The option you choose depends on the vulnerability of your existing storage scheme. If you have any concerns, you will want users to change their password anyway, in which case the first option is the most suitable. If you are changing the storage scheme for other reasons, the second option may be suitable and less disruptive.

If you want to change the policy applied to users, you have the following options:

Attributes

The following attributes are referred to in this article:

Attribute  Meaning
pwdPolicySubentry This attribute indicates which password policy applies to the user.
ds-pwp-password-policy-dn This attribute is used to assign password policies to any given user or group of users.
collectAttributeSubentries This attribute is used to set the ds-pwp-password-policy-dn for group member entries. 

Changing the storage scheme associated with a server-based policy

You can change the storage scheme associated with a server-based password policy as follows:

  1. Update the storage scheme associated with your existing password policy using a dsconfig command such as this:
    • DS 7.1 and later: $ ./dsconfig set-password-policy-prop --policy-name "Current Password Policy" --set default-password-storage-scheme:PBKDF2-HMAC-SHA512 --hostname ds1.example.com --port 4444 --bindDN uid=admin --bindPassword password --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --no-prompt
    • DS 7: $ ./dsconfig set-password-policy-prop --policy-name "Current Password Policy" --set default-password-storage-scheme:PBKDF2-HMAC-SHA512 --hostname ds1.example.com --port 4444 --bindDN uid=admin --bindPassword password --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --no-prompt
    • Pre-DS 7: $ ./dsconfig set-password-policy-prop --policy-name "Current Password Policy" --set default-password-storage-scheme:"Salted SHA-512" --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --trustAll --no-prompt

Once the policy is updated, authentication will continue to work seamlessly since the passwords themselves are unchanged. All newly created and updated passwords will be stored using the new storage scheme.

  1. Force all users to update their passwords to ensure they are stored using the new scheme. An administrator can reset users' passwords, and assuming the force-change-on-reset property is set to true, users would have to change their password the next time they log in. See Require Password Change on Add or Reset for further information on this setting.

Testing

The following process demonstrates how to check that the new storage scheme is used once the user's password has been changed:

  1. Search the userPassword with a ldapsearch command to confirm that the user still has their password stored under the existing storage scheme (PBKDF2-HMAC-SHA256 in this example):
    • DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword changeit --baseDN dc=example,dc=com "uid=user.1" userPassword
    • DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword changeit --baseDN dc=example,dc=com "uid=user.1" userPassword
    • Pre-DS 7: $ ./ldapsearch --port 1389 --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword changeit --baseDN dc=example,dc=com "uid=user.1" userPassword

Example response:dn: uid=user.1,ou=People,dc=example,dc=com userPassword: {PBKDF2-HMAC-SHA256}10:Hy+ZwmElbGT4va+Yb84LoIffAJVKXzVIY7XrFzdKxFl5rOB/j9y+9pwdub8rwfVa

  1. Update the user's password using a ldappasswordmodify command:
    • DS 7.1 and later: $ ./ldappasswordmodify --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword changeit --newPassword strongPassw0rd
    • DS 7: $ ./ldappasswordmodify --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword changeit --newPassword strongPassw0rd
    • Pre-DS 7: $ ./ldappasswordmodify --port 1389 --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword changeit --newPassword strongPassw0rd
  2. Search the userPassword again to verify that the user's password is now stored under the new storage scheme (PBKDF2-HMAC-SHA512 in this example):
    • DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword password --baseDN dc=example,dc=com "uid=user.1" userPassword
    • DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword password --baseDN dc=example,dc=com "uid=user.1" userPassword
    • Pre-DS 7: $ ./ldapsearch --port 1389 --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword password --baseDN dc=example,dc=com "uid=user.1" userPassword

Example response:dn: uid=user.1,ou=People,dc=example,dc=com userPassword: {PBKDF2-HMAC-SHA512}10000:kPItID0Y7ydkMwjDyUhvuowuKs4RSraKcINuDVyQdqG/PLrPLeA/0dpfCsFPN2WEo0MFYcdKa7Gs3DXP/t9XEfiYzhXTD2PHR6VwdNtBnDg=

Deprecating the old storage scheme and applying a new one (server-based policy)

You can deprecate the old storage scheme as follows:

  1. Deprecate the storage scheme associated with your existing server-based password policy and set the new storage scheme using a dsconfig command such as this:
    • DS 7.1 and later: $ ./dsconfig set-password-policy-prop --policy-name "Current Password Policy" --set deprecated-password-storage-scheme:PBKDF2-HMAC-SHA256 --set default-password-storage-scheme:PBKDF2-HMAC-SHA512 --hostname ds1.example.com --port 4444 --bindDN uid=admin --bindPassword password --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --no-prompt
    • DS 7: $ ./dsconfig set-password-policy-prop --policy-name "Current Password Policy" --set deprecated-password-storage-scheme:PBKDF2-HMAC-SHA256 --set default-password-storage-scheme:PBKDF2-HMAC-SHA512 --hostname ds1.example.com --port 4444 --bindDN uid=admin --bindPassword password --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --no-prompt
    • Pre-DS 7: $ ./dsconfig set-password-policy-prop --policy-name "Current Password Policy" --set deprecated-password-storage-scheme:"Salted SHA-256" --set default-password-storage-scheme:"Salted SHA-512" --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --trustAll --no-prompt

Once the user successfully authenticates, their password is stored under the new storage scheme.

Testing

The following process demonstrates how to check that the new storage scheme is used for a user's password once they have authenticated:

  1. Search the userPassword with a ldapsearch command to confirm that the user still has their password stored under the existing storage scheme (PBKDF2-HMAC-SHA256 in this example):
    • DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword changeit --baseDN dc=example,dc=com "uid=user.1" userPassword
    • DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword changeit --baseDN dc=example,dc=com "uid=user.1" userPassword
    • Pre-DS 7: $ ./ldapsearch --port 1389 --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword changeit --baseDN dc=example,dc=com "uid=user.1" userPassword

Example response:dn: uid=user.1,ou=People,dc=example,dc=com userPassword: {PBKDF2-HMAC-SHA256}10:Hy+ZwmElbGT4va+Yb84LoIffAJVKXzVIY7XrFzdKxFl5rOB/j9y+9pwdub8rwfVa

  1. Authenticate as the user using their existing password. Do not change their password. 
  2. Search the userPassword again to verify that the user's password is now stored under the new storage scheme (PBKDF2-HMAC-SHA512 in this example):
    • DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword password --baseDN dc=example,dc=com "uid=user.1" userPassword
    • DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword password --baseDN dc=example,dc=com "uid=user.1" userPassword
    • Pre-DS 7: $ ./ldapsearch --port 1389 --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword password --baseDN dc=example,dc=com "uid=user.1" userPassword

Example response:dn: uid=user.1,ou=People,dc=example,dc=com userPassword: {PBKDF2-HMAC-SHA512}10000:kPItID0Y7ydkMwjDyUhvuowuKs4RSraKcINuDVyQdqG/PLrPLeA/0dpfCsFPN2WEo0MFYcdKa7Gs3DXP/t9XEfiYzhXTD2PHR6VwdNtBnDg=

Using the pwdPolicy object class to assign subentry based password policies

The following process demonstrates applying a subentry based password policy to all members of a branch, with the following example values (where both the policy and users are directly under: ou=People,dc=example,dc=com):

  • The policy DN is: cn=PBKDF2-HMAC-SHA512 Policy,ou=People,dc=example,dc=com
  • The users are in the following branch: ou=People,dc=example,dc=com

You can apply a password policy to all your users as follows 

  1. Create a ldif file for the new custom password policy. For example: $ cat new-policy.ldif dn: cn=PBKDF2-HMAC-SHA512 Policy,dc=example,dc=com objectClass: top objectClass: subentry objectClass: pwdPolicy cn: PBKDF2-HMAC-SHA512 Policy pwdAttribute: userPassword [..., etc] subtreeSpecification: {base "ou=people", specificationFilter   "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }
  2. Apply the new policy using the following ldapmodify command depending on your version:
    • DS 7.1 and later: $ ./ldapmodify --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password new-policy.ldif
    • DS 7: $ ./ldapmodify --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password new-policy.ldif
    • Pre-DS 7: $ ./ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password new-policy.ldif

You will see the following response:Processing ADD request for cn=PBKDF2-HMAC-SHA512 Policy,ou=People,dc=example,dc=com ADD operation successful for DN cn=PBKDF2-HMAC-SHA512 Policy,ou=People,dc=example,dc=com

Testing

The following process demonstrates how to check that the new password policy has been applied and that the storage scheme is updated once the user's password has been changed:

  1. Verify that the new password policy has been applied, for example:
    • DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN dc=example,dc=com 'uid=user.1' pwdPolicySubentry + userPassword
    • DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN dc=example,dc=com 'uid=user.1' pwdPolicySubentry + userPassword
    • Pre-DS 7: $ ./ldapsearch --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN dc=example,dc=com 'uid=user.1' pwdPolicySubentry + userPassword

Example response:dn: uid=user.1,ou=People,dc=example,dc=com userPassword: {PBKDF2-HMAC-SHA256}10:Hy+ZwmElbGT4va+Yb84LoIffAJVKXzVIY7XrFzdKxFl5rOB/j9y+9pwdub8rwfVa pwdPolicySubentry: cn=PBKDF2-HMAC-SHA512 Policy,dc=example,dc=com entryUUID: ad55a34a-763f-358f-93f9-da86f9ecd9e4 etag: 000000003e23b18a structuralObjectClass: inetOrgPerson numSubordinates: 0 collectiveAttributeSubentries: cn=PBKDF2-HMAC-SHA512 Password Policy for all Users,dc=example,dc=com hasSubordinates: false subschemaSubentry: cn=schema entryDN: uid=user.1,ou=People,dc=example,dc=com ds-pwp-password-policy-dn: cn=PBKDF2-HMAC-SHA512 Policy,dc=example,dc=comNotice that the password has not yet updated to the new PBKDF2-HMAC-SHA512 storage scheme but the new password policy has been applied.

  1. Update the user's password using the ldappasswordmodify command, for example:
    • DS 7.1 and later: $ ./ldappasswordmodify --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword changeit --newPassword strongPassw0rd
    • DS 7: $ ./ldappasswordmodify --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword changeit --newPassword strongPassw0rd
    • Pre-DS 7: $ ./ldappasswordmodify --port 1389 --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword changeit --newPassword strongPassw0rd
  2. Search the userPassword again to verify that the user's password is now stored under the new storage scheme (PBKDF2-HMAC-SHA512 in this example):
    • DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN dc=example,dc=com "uid=user.1" userPassword
    • DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN dc=example,dc=com "uid=user.1" userPassword
    • Pre-DS 7: $ ./ldapsearch --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN dc=example,dc=com "uid=user.1" userPassword

Example response:dn: uid=user.1,ou=People,dc=example,dc=com userPassword: {PBKDF2-HMAC-SHA512}10000:kPItID0Y7ydkMwjDyUhvuowuKs4RSraKcINuDVyQdqG/PLrPLeA/0dpfCsFPN2WEo0MFYcdKa7Gs3DXP/t9XEfiYzhXTD2PHR6VwdNtBnDg=

Using a collectiveAttributeSubentry object to assign password policies

The process you need to follow depends on whether you currently have the Default Password Policy assigned to your users or a custom one; you can check the pwdPolicySubentry entry using a ldapsearch command, for example:

  • DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN dc=example,dc=com 'uid=user.1' pwdPolicySubentry + userPassword
  • DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN dc=example,dc=com 'uid=user.1' pwdPolicySubentry + userPassword
  • Pre-DS 7: $ ./ldapsearch --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN dc=example,dc=com 'uid=user.1' pwdPolicySubentry + userPassword

Example response:dn: uid=user.1,ou=People,dc=example,dc=com userPassword: {PBKDF2-HMAC-SHA256}10:Hy+ZwmElbGT4va+Yb84LoIffAJVKXzVIY7XrFzdKxFl5rOB/j9y+9pwdub8rwfVa pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config entryUUID: ad55a34a-763f-358f-93f9-da86f9ecd9e4 etag: 000000003e23b18a structuralObjectClass: inetOrgPerson numSubordinates: 0 hasSubordinates: false subschemaSubentry: cn=schema entryDN: uid=user.1,ou=People,dc=example,dc=com

If you already have a custom password policy (applied using collective attributes), you will see a collectiveAttributeSubentries entry in response to the ldapsearch, for example: collectiveAttributeSubentries: cn=Custom Password Policy for all Users,dc=example,dc=com

You should then follow the appropriate process below:

Note

If you already have a custom policy applied, you can remove it first and then follow the new password policy procedure if you prefer. You can remove it using ldapdelete, for example:

  • DS 7.1 and later: $ ./ldapdelete --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password cn=Custom Password Policy for all Users,dc=example,dc=com
  • DS 7: $ ./ldapdelete --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password cn=Custom Password Policy for all Users,dc=example,dc=com
  • Pre-DS 7: $ ./ldapdelete --port 1389 --bindDN "cn=Directory Manager" --bindPassword password cn=Custom Password Policy for all Users,dc=example,dc=com

Apply a new password policy 

The following process demonstrates applying a new password policy to all users under the base ou=People:

  1. Create a new custom password policy. See Configure Password Policies for further information.
  2. Apply the new password policy to all users under dn: ou=People,dc=example,dc=com as follows:
    1. Create a ldif file with the changes, for example: dn: cn=PBKDF2-HMAC-SHA512 Password Policy for all Users,dc=example,dc=com objectClass: collectiveAttributeSubentry objectClass: extensibleObject objectClass: subentry objectClass: top cn: PBKDF2-HMAC-SHA512 Password Policy for all Users ds-pwp-password-policy-dn;collective: cn=PBKDF2-HMAC-SHA512 Policy,cn=Password Policies,cn=config subtreeSpecification: {base "ou=people", specificationFilter  "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }
    2. Apply this update using the following ldapmodify command depending on your version:
      • DS 7.1 and later: $ ./ldapmodify --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password pwp-policy.ldif
      • DS 7: $ ./ldapmodify --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password pwp-policy.ldif
      • Pre-DS 7: $ ./ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password pwp-policy.ldif

You will see the following response:Processing ADD request for cn=PBKDF2-HMAC-SHA512 Password Policy for all Users,dc=example,dc=com ADD operation successful for DN cn=PBKDF2-HMAC-SHA512 Password Policy for all Users,dc=example,dc=com

Change the password policy 

The following process demonstrates changing the password policy applicable to all users under the base ou=People:

  1. Create a new custom password policy. See Configure Password Policies for further information.
  2. Change the password policy to the new policy for all users under dn: ou=People,dc=example,dc=com as follows:
    1. Create a ldif file with the change, for example: $ cat change-policy.ldif dn: cn=Custom Password Policy for all Users,dc=example,dc=com changetype: modify replace: ds-pwp-password-policy-dn;collective ds-pwp-password-policy-dn;collective: cn=PBKDF2-HMAC-SHA512 Policy,cn=Password Policies,cn=config
    2. Apply this update using the following ldapmodify command depending on your version:
      • DS 7.1 and later: $ ./ldapmodify --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password change-policy.ldif
      • DS 7: $ ./ldapmodify --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password change-policy.ldif
      • Pre-DS 7: $ ./ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password change-policy.ldif

You will see the following response:Processing MODIFY request for cn=Custom Password Policy for all Users,dc=example,dc=com MODIFY operation successful for DN cn=Custom Password Policy for all Users,dc=example,dc=com

Testing

The following process demonstrates how to check that the new password policy has been applied and that the storage scheme is updated once the user's password has been changed:

  1. Verify that the new password policy has been applied, for example:
    • DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN dc=example,dc=com 'uid=user.1' pwdPolicySubentry + userPassword
    • DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN dc=example,dc=com 'uid=user.1' pwdPolicySubentry + userPassword
    • Pre-DS 7: $ ./ldapsearch --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN dc=example,dc=com 'uid=user.1' pwdPolicySubentry + userPassword

Example response:dn: uid=user.1,ou=People,dc=example,dc=com userPassword: {PBKDF2-HMAC-SHA256}10:Hy+ZwmElbGT4va+Yb84LoIffAJVKXzVIY7XrFzdKxFl5rOB/j9y+9pwdub8rwfVa pwdPolicySubentry: cn=PBKDF2-HMAC-SHA512 Policy,cn=Password Policies,cn=config entryUUID: ad55a34a-763f-358f-93f9-da86f9ecd9e4 etag: 000000003e23b18a structuralObjectClass: inetOrgPerson numSubordinates: 0 collectiveAttributeSubentries: cn=PBKDF2-HMAC-SHA512 Password Policy for all Users,dc=example,dc=com hasSubordinates: false subschemaSubentry: cn=schema entryDN: uid=user.1,ou=People,dc=example,dc=com ds-pwp-password-policy-dn: cn=PBKDF2-HMAC-SHA512 Policy,cn=Password Policies,cn=configNotice that the password has not yet updated to the new PBKDF2-HMAC-SHA512 storage scheme but the new password policy has been applied.

  1. Update the user's password using a ldappasswordmodify command:
    • DS 7.1 and later: $ ./ldappasswordmodify --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword changeit --newPassword strongPassw0rd
    • DS 7: $ ./ldappasswordmodify --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword changeit --newPassword strongPassw0rd
    • Pre-DS 7: $ ./ldappasswordmodify --port 1389 --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword changeit --newPassword strongPassw0rd
  2. Search the userPassword again to verify that the user's password is now stored under the new storage scheme (PBKDF2-HMAC-SHA512 in this example):
    • DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN dc=example,dc=com "uid=user.1" userPassword
    • DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN dc=example,dc=com "uid=user.1" userPassword
    • Pre-DS 7: $ ./ldapsearch --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN dc=example,dc=com "uid=user.1" userPassword

Example response:dn: uid=user.1,ou=People,dc=example,dc=com userPassword: {PBKDF2-HMAC-SHA512}10000:kPItID0Y7ydkMwjDyUhvuowuKs4RSraKcINuDVyQdqG/PLrPLeA/0dpfCsFPN2WEo0MFYcdKa7Gs3DXP/t9XEfiYzhXTD2PHR6VwdNtBnDg=

Note

If you have changed the password policy, the name on the collectiveAttribute will remain the same after the new policy has been applied.

See Also

How does DS (All versions) store password values?

How does password expiration work in DS (All versions)?

How do I add multiple values for the same password attribute using different hashing algorithms in DS (All versions)?

FAQ: Passwords in DS

Passwords in DS

Passwords

Related Training

N/A

Related Issue Tracker IDs

N/A
Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.