How do I change a password storage scheme and apply a new password policy to users in DS (All versions)?
The purpose of this article is to provide assistance if you want to migrate users to a new password policy in DS. It also provides information on changing the storage scheme associated with a password policy (for example, from PBKDF2-HMAC-SHA256 to PBKDF2-HMAC-SHA512), without applying a new policy.
Overview
If you want to change the storage scheme associated with your password policy, you do not have to create a new password policy to achieve this nor do users necessarily have to change their passwords.
You have the following options if you want to change the storage scheme (without creating a new policy):
- Change the storage scheme associated with the server-based password policy if you plan to force all users to change their password. Passwords will only be stored under the new storage scheme once they have been changed.
- Deprecate the old storage scheme and apply the new one (server-based policy) without users needing to change their password. Passwords will be stored under the new storage scheme after successful authentication.
The option you choose depends on the vulnerability of your existing storage scheme. If you have any concerns, you will want users to change their password anyway, in which case the first option is the most suitable. If you are changing the storage scheme for other reasons, the second option may be suitable and less disruptive.
If you want to change the policy applied to users, you have the following options:
- Use the pwdPolicy object class to assign subentry based password policies - this method is appropriate (and the simplest) for applying a password policy to all members of a branch.
- Use a collectiveAttributeSubentry object to assign password policies - this method is appropriate for applying a password policy to LDAP group members or to a subset of users in a specific branch that meet the criteria, for example, base "ou=People".
Attributes
The following attributes are referred to in this article:
Attribute | Meaning |
---|---|
pwdPolicySubentry | This attribute indicates which password policy applies to the user. |
ds-pwp-password-policy-dn | This attribute is used to assign password policies to any given user or group of users. |
collectAttributeSubentries | This attribute is used to set the ds-pwp-password-policy-dn for group member entries. |
Changing the storage scheme associated with a server-based policy
- Update the storage scheme associated with your existing password policy using a dsconfig command such as this:
- DS 7.1 and later: $ ./dsconfig set-password-policy-prop --policy-name "Current Password Policy" --set default-password-storage-scheme:PBKDF2-HMAC-SHA512 --hostname ds.example.com --port 4444 --bindDN uid=admin --bindPassword password --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --no-prompt
- DS 7: $ ./dsconfig set-password-policy-prop --policy-name "Current Password Policy" --set default-password-storage-scheme:PBKDF2-HMAC-SHA512 --hostname ds.example.com --port 4444 --bindDN uid=admin --bindPassword password --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --no-prompt
- DS 6.x: $ ./dsconfig set-password-policy-prop --policy-name "Current Password Policy" --set default-password-storage-scheme:"Salted SHA-512" --hostname ds.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --trustAll --no-prompt
Once the policy is updated, authentication will continue to work seamlessly since the passwords themselves are unchanged. All newly created and updated passwords will be stored using the new storage scheme.
- Force all users to update their passwords to ensure they are stored using the new scheme. An administrator can reset users' passwords, and assuming the force-change-on-reset property is set to true, users would have to change their password the next time they log in. See Require Password Change on Add or Reset for further information on this setting.
Testing
The following process demonstrates how to check that the new storage scheme is used once the user's password has been changed:
- Search the userPassword with a ldapsearch command to confirm that the user still has their password stored under the existing storage scheme (PBKDF2-HMAC-SHA256 in this example):
- DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword changeit --baseDN dc=example,dc=com "uid=user.1" userPassword
- DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword changeit --baseDN dc=example,dc=com "uid=user.1" userPassword
- DS 6.x: $ ./ldapsearch --port 1389 --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword changeit --baseDN dc=example,dc=com "uid=user.1" userPassword
Example response:dn: uid=user.1,ou=People,dc=example,dc=com userPassword: {PBKDF2-HMAC-SHA256}10:Hy+ZwmElbGT4va+Yb84LoIffAJVKXzVIY7XrFzdKxFl5rOB/j9y+9pwdub8rwfVa
- Update the user's password using a ldappasswordmodify command:
- DS 7.1 and later: $ ./ldappasswordmodify --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword changeit --newPassword strongPassw0rd
- DS 7: $ ./ldappasswordmodify --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword changeit --newPassword strongPassw0rd
- DS 6.x: $ ./ldappasswordmodify --port 1389 --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword changeit --newPassword strongPassw0rd
- Search the userPassword again to verify that the user's password is now stored under the new storage scheme (PBKDF2-HMAC-SHA512 in this example):
- DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword password --baseDN dc=example,dc=com "uid=user.1" userPassword
- DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword password --baseDN dc=example,dc=com "uid=user.1" userPassword
- DS 6.x: $ ./ldapsearch --port 1389 --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword password --baseDN dc=example,dc=com "uid=user.1" userPassword
Example response:dn: uid=user.1,ou=People,dc=example,dc=com userPassword: {PBKDF2-HMAC-SHA512}10000:kPItID0Y7ydkMwjDyUhvuowuKs4RSraKcINuDVyQdqG/PLrPLeA/0dpfCsFPN2WEo0MFYcdKa7Gs3DXP/t9XEfiYzhXTD2PHR6VwdNtBnDg=
Deprecating the old storage scheme and applying a new one (server-based policy)
You can deprecate the old storage scheme as follows:
- Deprecate the storage scheme associated with your existing server-based password policy and set the new storage scheme using a dsconfig command such as this:
- DS 7.1 and later: $ ./dsconfig set-password-policy-prop --policy-name "Current Password Policy" --set deprecated-password-storage-scheme:PBKDF2-HMAC-SHA256 --set default-password-storage-scheme:PBKDF2-HMAC-SHA512 --hostname ds.example.com --port 4444 --bindDN uid=admin --bindPassword password --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --no-prompt
- DS 7: $ ./dsconfig set-password-policy-prop --policy-name "Current Password Policy" --set deprecated-password-storage-scheme:PBKDF2-HMAC-SHA256 --set default-password-storage-scheme:PBKDF2-HMAC-SHA512 --hostname ds.example.com --port 4444 --bindDN uid=admin --bindPassword password --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --no-prompt
- DS 6.x: $ ./dsconfig set-password-policy-prop --policy-name "Current Password Policy" --set deprecated-password-storage-scheme:"Salted SHA-256" --set default-password-storage-scheme:"Salted SHA-512" --hostname ds.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --trustAll --no-prompt
Once the user successfully authenticates, their password is stored under the new storage scheme.
Testing
The following process demonstrates how to check that the new storage scheme is used for a user's password once they have authenticated:
- Search the userPassword with a ldapsearch command to confirm that the user still has their password stored under the existing storage scheme (PBKDF2-HMAC-SHA256 in this example):
- DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword changeit --baseDN dc=example,dc=com "uid=user.1" userPassword
- DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword changeit --baseDN dc=example,dc=com "uid=user.1" userPassword
- DS 6.x: $ ./ldapsearch --port 1389 --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword changeit --baseDN dc=example,dc=com "uid=user.1" userPassword
Example response:dn: uid=user.1,ou=People,dc=example,dc=com userPassword: {PBKDF2-HMAC-SHA256}10:Hy+ZwmElbGT4va+Yb84LoIffAJVKXzVIY7XrFzdKxFl5rOB/j9y+9pwdub8rwfVa
- Authenticate as the user using their existing password. Do not change their password.
- Search the userPassword again to verify that the user's password is now stored under the new storage scheme (PBKDF2-HMAC-SHA512 in this example):
- DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword password --baseDN dc=example,dc=com "uid=user.1" userPassword
- DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword password --baseDN dc=example,dc=com "uid=user.1" userPassword
- DS 6.x: $ ./ldapsearch --port 1389 --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword password --baseDN dc=example,dc=com "uid=user.1" userPassword
Example response:dn: uid=user.1,ou=People,dc=example,dc=com userPassword: {PBKDF2-HMAC-SHA512}10000:kPItID0Y7ydkMwjDyUhvuowuKs4RSraKcINuDVyQdqG/PLrPLeA/0dpfCsFPN2WEo0MFYcdKa7Gs3DXP/t9XEfiYzhXTD2PHR6VwdNtBnDg=
Using the pwdPolicy object class to assign subentry based password policies
The following process demonstrates applying a subentry based password policy to all members of a branch, with the following example values (where both the policy and users are directly under: ou=People,dc=example,dc=com):
- The policy DN is: cn=PBKDF2-HMAC-SHA512 Policy,ou=People,dc=example,dc=com
- The users are in the following branch: ou=People,dc=example,dc=com
You can apply a password policy to all your users as follows
- Create a ldif file for the new custom password policy. For example: $ cat new-policy.ldif dn: cn=PBKDF2-HMAC-SHA512 Policy,dc=example,dc=com objectClass: top objectClass: subentry objectClass: pwdPolicy cn: PBKDF2-HMAC-SHA512 Policy pwdAttribute: userPassword [..., etc] subtreeSpecification: {base "ou=people", specificationFilter "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }
- Apply the new policy using the following ldapmodify command depending on your version:
- DS 7.1 and later: $ ./ldapmodify --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password new-policy.ldif
- DS 7: $ ./ldapmodify --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password new-policy.ldif
- DS 6.x: $ ./ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password new-policy.ldif
You will see the following response:Processing ADD request for cn=PBKDF2-HMAC-SHA512 Policy,ou=People,dc=example,dc=com ADD operation successful for DN cn=PBKDF2-HMAC-SHA512 Policy,ou=People,dc=example,dc=com
Testing
The following process demonstrates how to check that the new password policy has been applied and that the storage scheme is updated once the user's password has been changed:
- Verify that the new password policy has been applied, for example:
- DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN dc=example,dc=com 'uid=user.1' pwdPolicySubentry + userPassword
- DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN dc=example,dc=com 'uid=user.1' pwdPolicySubentry + userPassword
- DS 6.x: $ ./ldapsearch --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN dc=example,dc=com 'uid=user.1' pwdPolicySubentry + userPassword
Example response:dn: uid=user.1,ou=People,dc=example,dc=com userPassword: {PBKDF2-HMAC-SHA256}10:Hy+ZwmElbGT4va+Yb84LoIffAJVKXzVIY7XrFzdKxFl5rOB/j9y+9pwdub8rwfVa pwdPolicySubentry: cn=PBKDF2-HMAC-SHA512 Policy,dc=example,dc=com entryUUID: ad55a34a-763f-358f-93f9-da86f9ecd9e4 etag: 000000003e23b18a structuralObjectClass: inetOrgPerson numSubordinates: 0 collectiveAttributeSubentries: cn=PBKDF2-HMAC-SHA512 Password Policy for all Users,dc=example,dc=com hasSubordinates: false subschemaSubentry: cn=schema entryDN: uid=user.1,ou=People,dc=example,dc=com ds-pwp-password-policy-dn: cn=PBKDF2-HMAC-SHA512 Policy,dc=example,dc=comNotice that the password has not yet updated to the new PBKDF2-HMAC-SHA512 storage scheme but the new password policy has been applied.
- Update the user's password using the ldappasswordmodify command, for example:
- DS 7.1 and later: $ ./ldappasswordmodify --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword changeit --newPassword strongPassw0rd
- DS 7: $ ./ldappasswordmodify --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword changeit --newPassword strongPassw0rd
- DS 6.x: $ ./ldappasswordmodify --port 1389 --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword changeit --newPassword strongPassw0rd
- Search the userPassword again to verify that the user's password is now stored under the new storage scheme (PBKDF2-HMAC-SHA512 in this example):
- DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN dc=example,dc=com "uid=user.1" userPassword
- DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN dc=example,dc=com "uid=user.1" userPassword
- DS 6.x: $ ./ldapsearch --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN dc=example,dc=com "uid=user.1" userPassword
Example response:dn: uid=user.1,ou=People,dc=example,dc=com userPassword: {PBKDF2-HMAC-SHA512}10000:kPItID0Y7ydkMwjDyUhvuowuKs4RSraKcINuDVyQdqG/PLrPLeA/0dpfCsFPN2WEo0MFYcdKa7Gs3DXP/t9XEfiYzhXTD2PHR6VwdNtBnDg=
Using a collectiveAttributeSubentry object to assign password policies
The process you need to follow depends on whether you currently have the Default Password Policy assigned to your users or a custom one; you can check the pwdPolicySubentry entry using a ldapsearch command, for example:
- DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN dc=example,dc=com 'uid=user.1' pwdPolicySubentry + userPassword
- DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN dc=example,dc=com 'uid=user.1' pwdPolicySubentry + userPassword
- DS 6.x: $ ./ldapsearch --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN dc=example,dc=com 'uid=user.1' pwdPolicySubentry + userPassword
Example response:dn: uid=user.1,ou=People,dc=example,dc=com userPassword: {PBKDF2-HMAC-SHA256}10:Hy+ZwmElbGT4va+Yb84LoIffAJVKXzVIY7XrFzdKxFl5rOB/j9y+9pwdub8rwfVa pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config entryUUID: ad55a34a-763f-358f-93f9-da86f9ecd9e4 etag: 000000003e23b18a structuralObjectClass: inetOrgPerson numSubordinates: 0 hasSubordinates: false subschemaSubentry: cn=schema entryDN: uid=user.1,ou=People,dc=example,dc=com
If you already have a custom password policy (applied using collective attributes), you will see a collectiveAttributeSubentries entry in response to the ldapsearch, for example: collectiveAttributeSubentries: cn=Custom Password Policy for all Users,dc=example,dc=com
You should then follow the appropriate process below:
- Apply a new password policy (if you are currently using the Default Password Policy).
- Change the password policy (if you are currently using a custom password policy that was applied using collective attributes).
Note
If you already have a custom policy applied, you can remove it first and then follow the new password policy procedure if you prefer. You can remove it using ldapdelete, for example:
- DS 7.1 and later: $ ./ldapdelete --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password cn=Custom Password Policy for all Users,dc=example,dc=com
- DS 7: $ ./ldapdelete --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password cn=Custom Password Policy for all Users,dc=example,dc=com
- DS 6.x: $ ./ldapdelete --port 1389 --bindDN "cn=Directory Manager" --bindPassword password cn=Custom Password Policy for all Users,dc=example,dc=com
The following process demonstrates applying a new password policy to all users under the base ou=People:
- Create a new custom password policy. See Configure Password Policies for further information.
- Apply the new password policy to all users under dn: ou=People,dc=example,dc=com as follows:
- Create a ldif file with the changes, for example: dn: cn=PBKDF2-HMAC-SHA512 Password Policy for all Users,dc=example,dc=com objectClass: collectiveAttributeSubentry objectClass: extensibleObject objectClass: subentry objectClass: top cn: PBKDF2-HMAC-SHA512 Password Policy for all Users ds-pwp-password-policy-dn;collective: cn=PBKDF2-HMAC-SHA512 Policy,cn=Password Policies,cn=config subtreeSpecification: {base "ou=people", specificationFilter "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }
- Apply this update using the following ldapmodify command depending on your version:
- DS 7.1 and later: $ ./ldapmodify --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password pwp-policy.ldif
- DS 7: $ ./ldapmodify --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password pwp-policy.ldif
- DS 6.x: $ ./ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password pwp-policy.ldif
You will see the following response:Processing ADD request for cn=PBKDF2-HMAC-SHA512 Password Policy for all Users,dc=example,dc=com ADD operation successful for DN cn=PBKDF2-HMAC-SHA512 Password Policy for all Users,dc=example,dc=com
The following process demonstrates changing the password policy applicable to all users under the base ou=People:
- Create a new custom password policy. See Configure Password Policies for further information.
- Change the password policy to the new policy for all users under dn: ou=People,dc=example,dc=com as follows:
- Create a ldif file with the change, for example: $ cat change-policy.ldif dn: cn=Custom Password Policy for all Users,dc=example,dc=com changetype: modify replace: ds-pwp-password-policy-dn;collective ds-pwp-password-policy-dn;collective: cn=PBKDF2-HMAC-SHA512 Policy,cn=Password Policies,cn=config
- Apply this update using the following ldapmodify command depending on your version:
- DS 7.1 and later: $ ./ldapmodify --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password change-policy.ldif
- DS 7: $ ./ldapmodify --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password change-policy.ldif
- DS 6.x: $ ./ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password change-policy.ldif
You will see the following response:Processing MODIFY request for cn=Custom Password Policy for all Users,dc=example,dc=com MODIFY operation successful for DN cn=Custom Password Policy for all Users,dc=example,dc=com
Testing
The following process demonstrates how to check that the new password policy has been applied and that the storage scheme is updated once the user's password has been changed:
- Verify that the new password policy has been applied, for example:
- DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN dc=example,dc=com 'uid=user.1' pwdPolicySubentry + userPassword
- DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN dc=example,dc=com 'uid=user.1' pwdPolicySubentry + userPassword
- DS 6.x: $ ./ldapsearch --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN dc=example,dc=com 'uid=user.1' pwdPolicySubentry + userPassword
Example response:dn: uid=user.1,ou=People,dc=example,dc=com userPassword: {PBKDF2-HMAC-SHA256}10:Hy+ZwmElbGT4va+Yb84LoIffAJVKXzVIY7XrFzdKxFl5rOB/j9y+9pwdub8rwfVa pwdPolicySubentry: cn=PBKDF2-HMAC-SHA512 Policy,cn=Password Policies,cn=config entryUUID: ad55a34a-763f-358f-93f9-da86f9ecd9e4 etag: 000000003e23b18a structuralObjectClass: inetOrgPerson numSubordinates: 0 collectiveAttributeSubentries: cn=PBKDF2-HMAC-SHA512 Password Policy for all Users,dc=example,dc=com hasSubordinates: false subschemaSubentry: cn=schema entryDN: uid=user.1,ou=People,dc=example,dc=com ds-pwp-password-policy-dn: cn=PBKDF2-HMAC-SHA512 Policy,cn=Password Policies,cn=configNotice that the password has not yet updated to the new PBKDF2-HMAC-SHA512 storage scheme but the new password policy has been applied.
- Update the user's password using a ldappasswordmodify command:
- DS 7.1 and later: $ ./ldappasswordmodify --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword changeit --newPassword strongPassw0rd
- DS 7: $ ./ldappasswordmodify --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword changeit --newPassword strongPassw0rd
- DS 6.x: $ ./ldappasswordmodify --port 1389 --bindDN "uid=user.1,ou=people,dc=example,dc=com" --bindPassword changeit --newPassword strongPassw0rd
- Search the userPassword again to verify that the user's password is now stored under the new storage scheme (PBKDF2-HMAC-SHA512 in this example):
- DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN dc=example,dc=com "uid=user.1" userPassword
- DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN dc=example,dc=com "uid=user.1" userPassword
- DS 6.x: $ ./ldapsearch --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN dc=example,dc=com "uid=user.1" userPassword
Example response:dn: uid=user.1,ou=People,dc=example,dc=com userPassword: {PBKDF2-HMAC-SHA512}10000:kPItID0Y7ydkMwjDyUhvuowuKs4RSraKcINuDVyQdqG/PLrPLeA/0dpfCsFPN2WEo0MFYcdKa7Gs3DXP/t9XEfiYzhXTD2PHR6VwdNtBnDg=
Note
If you have changed the password policy, the name on the collectiveAttribute will remain the same after the new policy has been applied.
See Also
How does DS (All versions) store password values?
How does password expiration work in DS (All versions)?
Related Training
N/A
Related Issue Tracker IDs
N/A