How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I add multiple values for the same password attribute using different hashing algorithms in DS (All versions)?

Last updated Jun 10, 2021

The purpose of this article is to provide information on adding multiple values for the same password attribute using different hashing algorithms in DS. This article assumes you are using the userPassword attribute for passwords, but the process still applies if you are using a different attribute for passwords.


1 reader recommends this article

Adding multiple values (DS 7 and later)

You can add multiple values as follows:

  1. Encode a password using your first required hashing algorithm, for example PBKDF2-HMAC-SHA256: $ ./encode-password --storageScheme PBKDF2-HMAC-SHA256 --clearPassword password1Example output: {PBKDF2-HMAC-SHA256}10:6xNamSSJePXtWOwptGXPhvx6ilc4EP6D4/s67ZcHrzJ4cT1VSgH9h2KxifRvv2RV
  2. Encode a password using your second required hashing algorithm, for example PBKDF2-HMAC-SHA512: $ ./encode-password --storageScheme PBKDF2-HMAC-SHA512 --clearPassword password2Example output: {PBKDF2-HMAC-SHA512}10000:HGVd9luGmMIfgbSnmczc2aZegohTub37Y8kHNwAtHzq5NIvUWMGqefm7mkUhY2NqslTHEpQHi4R5abFtMLZ0h1jGa120oS7mXpxiyV0wxpk=
  3. Update DS to allow encoded passwords to be imported. You can do this by setting the advanced password policy property: allow-pre-encoded-passwords using dsconfig. For example:
    • DS 7.1 and later: $ ./dsconfig set-password-policy-prop --policy-name "Default Password Policy" --hostname ds1.example.com --port 4444 --bindDN uid=admin --bindPassword password --advanced --set allow-pre-encoded-passwords:true --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --no-prompt
    • DS 7: $ ./dsconfig set-password-policy-prop --policy-name "Default Password Policy" --hostname ds1.example.com --port 4444 --bindDN uid=admin --bindPassword password --advanced --set allow-pre-encoded-passwords:true --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --no-prompt
  4. Add these encoded passwords to a user entry and import or add: dn: uid=user.2000,ou=People,dc=example,dc=com objectClass: person objectClass: inetorgperson objectClass: organizationalperson objectClass: top uid: user.2000 cn: Jane Doe sn: Doe mail: user.2000@example.com userPassword: {PBKDF2-HMAC-SHA256}10:6xNamSSJePXtWOwptGXPhvx6ilc4EP6D4/s67ZcHrzJ4cT1VSgH9h2KxifRvv2RV userPassword: {PBKDF2-HMAC-SHA512}10000:HGVd9luGmMIfgbSnmczc2aZegohTub37Y8kHNwAtHzq5NIvUWMGqefm7mkUhY2NqslTHEpQHi4R5abFtMLZ0h1jGa120oS7mXpxiyV0wxpk=
  5. Bind using this user entry and each encoded password:
    • DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --baseDN "dc=example,dc=com" --bindDN "uid=user.2000,ou=People,dc=example,dc=com" --bindPassword password1 "(uid=user.2000)" userPassword dn: uid=user.2000,ou=People,dc=example,dc=com userPassword: {PBKDF2-HMAC-SHA256}10:6xNamSSJePXtWOwptGXPhvx6ilc4EP6D4/s67ZcHrzJ4cT1VSgH9h2KxifRvv2RV userPassword: {PBKDF2-HMAC-SHA512}10000:HGVd9luGmMIfgbSnmczc2aZegohTub37Y8kHNwAtHzq5NIvUWMGqefm7mkUhY2NqslTHEpQHi4R5abFtMLZ0h1jGa120oS7mXpxiyV0wxpk= $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --baseDN "dc=example,dc=com" --bindDN "uid=user.2000,ou=People,dc=example,dc=com" --bindPassword password2 "(uid=user.2000)" userPassword dn: uid=user.2000,ou=People,dc=example,dc=com userPassword: {PBKDF2-HMAC-SHA256}10:6xNamSSJePXtWOwptGXPhvx6ilc4EP6D4/s67ZcHrzJ4cT1VSgH9h2KxifRvv2RV userPassword: {PBKDF2-HMAC-SHA512}10000:HGVd9luGmMIfgbSnmczc2aZegohTub37Y8kHNwAtHzq5NIvUWMGqefm7mkUhY2NqslTHEpQHi4R5abFtMLZ0h1jGa120oS7mXpxiyV0wxpk=
    • DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --baseDN "dc=example,dc=com" --bindDN "uid=user.2000,ou=People,dc=example,dc=com" --bindPassword password1 "(uid=user.2000)" userPassword dn: uid=user.2000,ou=People,dc=example,dc=com userPassword: {PBKDF2-HMAC-SHA256}10:6xNamSSJePXtWOwptGXPhvx6ilc4EP6D4/s67ZcHrzJ4cT1VSgH9h2KxifRvv2RV userPassword: {PBKDF2-HMAC-SHA512}10000:HGVd9luGmMIfgbSnmczc2aZegohTub37Y8kHNwAtHzq5NIvUWMGqefm7mkUhY2NqslTHEpQHi4R5abFtMLZ0h1jGa120oS7mXpxiyV0wxpk= $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --baseDN "dc=example,dc=com" --bindDN "uid=user.2000,ou=People,dc=example,dc=com" --bindPassword password2 "(uid=user.2000)" userPassword dn: uid=user.2000,ou=People,dc=example,dc=com userPassword: {PBKDF2-HMAC-SHA256}10:6xNamSSJePXtWOwptGXPhvx6ilc4EP6D4/s67ZcHrzJ4cT1VSgH9h2KxifRvv2RV userPassword: {PBKDF2-HMAC-SHA512}10000:HGVd9luGmMIfgbSnmczc2aZegohTub37Y8kHNwAtHzq5NIvUWMGqefm7mkUhY2NqslTHEpQHi4R5abFtMLZ0h1jGa120oS7mXpxiyV0wxpk=

Adding multiple values (Pre-DS 7)

You can add multiple values as follows:

  1. Encode a password using your first required hashing algorithm, for example SSHA256: $ ./encode-password --storageScheme SSHA256 --clearPassword password1Example output: {SSHA256}roHY0/rfiO8+q/DZ+km9UG2UiL7AO6RuQ4oFefRDmEYHbeBEkNzmaQ==
  2. Encode a password using your second required hashing algorithm, for example SSHA512: $ ./encode-password --storageScheme SSHA512 --clearPassword password2Example output: {SSHA512}RypyBA65dxSQP0Zd2HZ2Ue7C2/FEQ/7YU0FU59jhD8kirLXToEaMelrY90/21QJcr3mfyB1KXPSZjCgq6OcQqIOsklOGlXOH
  3. Update DS to allow encoded passwords to be imported. You can do this by setting the advanced password policy property: allow-pre-encoded-passwords using dsconfig. For example:$ ./dsconfig set-password-policy-prop --policy-name "Default Password Policy" --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --advanced --set allow-pre-encoded-passwords:true --trustAll --no-prompt
  4. Add these encoded passwords to a user entry and import or add: dn: uid=user.2000,ou=People,dc=example,dc=com objectClass: person objectClass: inetorgperson objectClass: organizationalperson objectClass: top uid: user.2000 cn: Jane Doe sn: Doe mail: user.2000@example.com userPassword: {SSHA256}roHY0/rfiO8+q/DZ+km9UG2UiL7AO6RuQ4oFefRDmEYHbeBEkNzmaQ== userPassword: {SSHA512}RypyBA65dxSQP0Zd2HZ2Ue7C2/FEQ/7YU0FU59jhD8kirLXToEaMelrY90/21QJcr3mfyB1KXPSZjCgq6OcQqIOsklOGlXOH
  5. Bind using this user entry and each encoded password:$ ./ldapsearch --port 1389 --hostname localhost --baseDN "dc=example,dc=com" --bindDN "uid=user.2000,ou=People,dc=example,dc=com" --bindPassword password1 "(uid=user.2000)" userPassword dn: uid=user.2000,ou=People,dc=example,dc=com userPassword: {SSHA256}roHY0/rfiO8+q/DZ+km9UG2UiL7AO6RuQ4oFefRDmEYHbeBEkNzmaQ== userPassword: {SSHA512}RypyBA65dxSQP0Zd2HZ2Ue7C2/FEQ/7YU0FU59jhD8kirLXToEaMelrY90/21QJcr3mfyB1KXPSZjCgq6OcQqIOsklOGlXOH $ ./ldapsearch --port 1389 --hostname localhost --baseDN "dc=example,dc=com" --bindDN "uid=user.2000,ou=People,dc=example,dc=com" --bindPassword password2 "(uid=user.2000)" userPassword dn: uid=user.2000,ou=People,dc=example,dc=com userPassword: {SSHA256}roHY0/rfiO8+q/DZ+km9UG2UiL7AO6RuQ4oFefRDmEYHbeBEkNzmaQ== userPassword: {SSHA512}RypyBA65dxSQP0Zd2HZ2Ue7C2/FEQ/7YU0FU59jhD8kirLXToEaMelrY90/21QJcr3mfyB1KXPSZjCgq6OcQqIOsklOGlXOH

See Also

FAQ: Installing and configuring DS

FAQ: Passwords in DS

How does DS (All versions) store password values?

Configure Password Policies

Related Training

ForgeRock Directory Services Core Concepts (DS-400)

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.