How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I synchronize hashed passwords from IDM to DS (All versions)?

Last updated Jan 12, 2023

The purpose of this article is to provide information on how to pass pre-hashed passwords values within IDM to DS.

1 reader recommends this article

Background information

The synchronization model for IDM is to take the encrypted password from its own store, decrypt it and pass it in plain text to DS for it to hash and store. IDM also has the capability to hash passwords not just encrypt them. The way in which the passwords are synchronized will differ depending on whether they are encrypted or hashed:

  • Encrypted

The password is decrypted on the IDM side using a transform script (defined in sync.json) and then pushed to DS as plain text. Upon arrival, DS encrypts or hashes the password.

  • Hashed

The hashed password is pushed directly to DS since hashes are one way and cannot be decrypted before synchronization. Hashing also differs between IDM and DS, for example: the SHA512 algorithm in IDM uses a 16 byte Salt value whereas hashing within DS natively uses a 16 or 8 byte Salt value depending on version (How does DS (All versions) store password values?). Although hashing might be different between the systems, DS can still authenticate users whose hashed password has been received from IDM because DS can handle varying salt lengths during authentication.

There is a known issue for passwords hashed with the PBKDF2 algorithm: OPENIDM-17190 (PBKDF2 pre-hashed passwords from IDM not working on DS).

If you want to synchronize hashed passwords the other way, you must use the DS Password Sync Plugin because hashed passwords cannot be unhashed. Additionally, there is a known issue with policy validation for hashed passwords, which is fixed in IDM 7: OPENIDM-11456 (Skip password policy validation if password is hashed). Prior to this fix, IDM could not authenticate users using passwords that had been hashed by DS because IDM expected a fixed (hard-coded) salt length, which is not the salt length used by DS. See Password Synchronization Plugin Guide and OPENIDM-13293 (Request for IDM to allow for hashed passwords with different salt lengths) for further information.


The password storage scheme used to encrypt/hash passwords in IDM must be enabled in DS otherwise authentication will fail in DS. DS 7 and later disables less secure and reversible schemes by default for improved security, including Salted SHA-512. See How does DS (All versions) store password values? for further information.

Salt values

IDM performs hashing using a randomly generated Salt value. You can identify the Salt value needed for storing and synchronizing hashed passwords, if required, by manipulating the hashed object since the data value consists of the base64 encoded version of the Hashed value concatenated with the Salt value.

This example demonstrates retrieving the Salt value used when performing the hashing function:

  1. The following JavaScript® code hashes the password value (test) and then outputs information to the log file to show the base64 decoded version of the data and the Salt value used: testOutput = openidm.hash("test","SHA-512");"Hash Output: {}", testOutput); var base64 = b64tO = base64.decode(testOutput.$;"Decoded: {}", b64tO); salt = b64tO.slice(32);"Salt: {}", salt);
  2. Example log output; observe that the decoded value (meaning the Salt and the password itself) returns as a byteArray: Aug 10, 2018 2:28:34 PM org.forgerock.script.scope.FunctionFactory$1$3 call INFO: Hash Output: {$crypto={value={algorithm=SHA-512, data=RypyBA65dxSQP0Zd2HZ2Ue7C2/FEQ/7YU0FU59jhD8kirLXToEaMelrY90/21QJcr3mfyB1KXPSZjCgq6OcQqIOsklOGlXOH}, type=salted-hash}} Aug 10, 2018 2:28:34 PM org.forgerock.script.scope.FunctionFactory$1$3 call INFO: Decoded: [-80, 52, -102, -103, 46, 80, -86, 125, 65, 15, 119, 45, 117, -42, -118, 38, 83, 16, -43, 115, -73, 66, 33, 57, 15, -121, 42, -38, 86, -114, 104, 80, 73, 62, -100, 121, -16, 79, 49, 110, -64, 39, -107, -30, 117, -30, -65, 69] Aug 10, 2018 2:28:34 PM org.forgerock.script.scope.FunctionFactory$1$3 call INFO: Salt: [73, 62, -100, 121, -16, 79, 49, 110, -64, 39, -107, -30, 117, -30, -65, 69]

Synchronizing hashed passwords

You can use passwords in DS that have been hashed by IDM as follows:

  1. Ensure the password storage scheme used to hash passwords in IDM is enabled in DS.
  2. Configure DS to allow pre-encoded passwords for the relevant password policy. You can set this using dsconfig, for example:
    • DS 7.1 and later: $ ./dsconfig set-password-policy-prop --policy-name "Default Password Policy" --port 4444 --bindDN uid=admin --bindPassword password --advanced --set allow-pre-encoded-passwords:true --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/ --no-prompt
    • DS 7: $ ./dsconfig set-password-policy-prop --policy-name "Default Password Policy" --port 4444 --bindDN uid=admin --bindPassword password --advanced --set allow-pre-encoded-passwords:true --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/ --no-prompt
    • DS 6.x: $ ./dsconfig set-password-policy-prop --policy-name "Default Password Policy" --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --advanced --set allow-pre-encoded-passwords:true --trustAll --no-prompt
  3. Configure IDM to hash passwords as detailed in Encoding Attribute Values by Using Salted Hash Algorithms. This change does not update all existing user passwords. Passwords will only be stored as hashes if they are created or updated after this change.
  4. Update the transformation of the password in the IDM sync.json file (located in the /path/to/idm/conf directory)​ to use the base64 encoded hash and append the appropriate hashing algorithm as a prefix. For example, if you are using the SHA512 algorithm, the updated section would look similar to this where {SSHA512} has been appended: { "source" : "password", "condition" : { "type" : "text/javascript", "source" : "object.password != null" }, "transform" : { "type" : "text/javascript", "source" : "var hash = \"{SSHA512}\" + source.$;hash;" }, "target" : "userPassword" },
  5. Update the password in IDM, which will cause the hashed value to be pushed to DS. You will see something similar to the following in the DS audit log when this happens: replace: userPassword userPassword: {SSHA512}RypyBA65dxSQP0Zd2HZ2Ue7C2/FEQ/7YU0FU59jhD8kirLXToEaMelrY90/21QJcr3mfyB1KXPSZjCgq6OcQqIOsklOGlXOH
  6. Verify DS is now storing the password hash by viewing the object for the user whose password you updated using ldapsearch, for example​:
    • DS 7.1 and later: $ ./ldapsearch --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/ --bindDN uid=admin --bindPassword password --baseDN "dc=example,dc=com" "(uid=jdoe)"
    • DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/ --bindDN uid=admin --bindPassword password --baseDN "dc=example,dc=com" "(uid=jdoe)"
    • DS 6.x: $ ./ldapsearch --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN "dc=example,dc=com" "(uid=jdoe)" --trustAll

Example response:

dn: uid=jdoe,ou=People,dc=example,dc=com objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: top givenName: Jane description: Created for IDM uid: jdoe cn: Jane Doe sn: Doe telephoneNumber: 1-360-229-7105 userPassword: {SSHA512}RypyBA65dxSQP0Zd2HZ2Ue7C2/FEQ/7YU0FU59jhD8kirLXToEaMelrY90/21QJcr3mfyB1KXPSZjCgq6OcQqIOsklOGlXOH mail:

See Also

How do I change a password storage scheme and apply a new password policy to users in DS (All versions)?

FAQ: Passwords in DS

Synchronization in IDM



Related Training


Related Issue Tracker IDs

OPENIDM-11456 (Skip password policy validation if password is hashed)

Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.