Closed lscorcia closed 2 years ago
After a few hours, it does not seem difficult to generalize the PBKDF2 implementation for other digest types. I will try to provide a PR.
PR is ready for review.
Closed as merged.
It seems this was mentioned in the last release of the 4.4 tree, 4.4.15
But has not been released in the current 4.5.x tree for a default server install, is this an oversight ?
The template/config/config.ldif for 4.4.15 has this, as does 4.5.4, but it does not appear in a new 4.5.4 server under the cn=config backend, under cn=Password Storage Schemes,cn=config ( a default server setup )
The root DSA "" of a new 4.5.4 server has supportedAuthSchemes only for PBKDF2, no PBKDF2-HMAC-SHA-(256/512) entries.
dn: cn=PBKDF2-HMAC-SHA256,cn=Password Storage Schemes,cn=config objectClass: top objectClass: ds-cfg-password-storage-scheme objectClass: ds-cfg-pbkdf2-password-storage-scheme objectClass: ds-cfg-pbkdf2-hmac-sha256-password-storage-scheme cn: PBKDF2-HMAC-SHA256 ds-cfg-java-class: org.opends.server.extensions.PBKDF2HmacSHA256PasswordStorageScheme ds-cfg-enabled: true
dn: cn=PBKDF2-HMAC-SHA512,cn=Password Storage Schemes,cn=config objectClass: top objectClass: ds-cfg-password-storage-scheme objectClass: ds-cfg-pbkdf2-password-storage-scheme objectClass: ds-cfg-pbkdf2-hmac-sha512-password-storage-scheme cn: PBKDF2-HMAC-SHA512 ds-cfg-java-class: org.opends.server.extensions.PBKDF2HmacSHA512PasswordStorageScheme ds-cfg-enabled: true
Is your feature request related to a problem? Please describe. I need to import into an OpenDJ instance users from Django applications that store passwords in the PBKDF2-HMAC-SHA256 format, i.e.:
testing
->pbkdf2_sha256$15000$Pjun1TMGEQnM$lShdzU33covbDNiqGVDffdHh/86VaECJlaaNXchT0ew=
The value above is composed of
<algorithm>$<iterations>$<ascii_salt>$base64(<digest>)
. With some jigglery I can convert it to{PBKDF2-HMAC-SHA256}<iterations>:base64(<digest><salt>)
which is its standard representation used in LDAP projects:{PBKDF2-HMAC-SHA256}15000:lShdzU33covbDNiqGVDffdHh/86VaECJlaaNXchT0exQanVuMVRNR0VRbk0=
Describe the solution you'd like I need to add to OpenDJ the additional encryption scheme PBKDF2-HMAC-SHA256. It is essentially the same as PBKDF2, it just uses SHA256 as the hashing function instead of the older SHA1.
Additional context This is already supported in Forgerock DS7 (https://backstage.forgerock.com/knowledge/kb/book/b99437584#M03kaX), together with the SHA512 variant.