26.2 Understanding Non-Reversible Password Storage

Universal Passwords are stored in eDirectory after encryption and these passwords can be retrieved by eDirectory whenever required. For example, at the time of authentication.

As an alternative to Universal Password, eDirectory 9.2 supports storage of hashed passwords using Password Based Key Derivation Function 2 (PBKDF2) hashing algorithm (RFC 2898). If PBKDF2 hash of password is enabled, the user’s passwords cannot be retrieved. For more information, see Universal Password Configuration Options.

IMPORTANT:eDirectory 9.2 onwards, in a password policy, if Universal Password is disabled, PBKDF2 hash of password gets enabled automatically. The existing password policies with Universal Password disabled, will not be enforced on the users before upgrading to eDirectory 9.2. But if you upgrade your server to eDirectory 9.2, these password policies will get enforced automatically to all the users in the tree. If you want to avoid this, remove all assignments of such password policies before upgrading.

If you are switching to PBKDF2 passwords from NDS passwords, you must also switch to the SCRAM login method manually. For more information on SCRAM login method, see Password Authentication.

NOTE:

  • Passwords created using PBKDF2 hashing algorithm, are case-sensitive unlike NDS passwords which are case in-sensitive.

  • Passwords created with PBKDF2 hashing algorithm do not support nspmXCharHistoryLimit and nspmXCharLimit rules in the password policy.

  • By default, PBKDF2 is configured to use SHA-256. However, this can also be configured to use SHA-384 and SHA-512 using the nspmPBKDF2HashAlgorithm attribute. While configuring this attribute, you can specify one of the following values in the same format:

    • sha256

    • sha384

    • sha512

  • By default, PBKDF2 is configured to use iteration count of 1. The iteration count can be increased using the nspmPBKDF2IterationCount attribute. If you increase the iteration count, the ldap bind performance will degrade.

  • SCRAM login method does not support appending OTP to password. If there are users in the tree who use NDS login method with hash-based OTP (HOTP), do not authorize the use of SCRAM login method for such users.

26.2.1 Enabling Non-Reversible Password Storage

  1. Start NetIQ iManager.

  2. Click Roles and Tasks > Passwords > Password Policies.

  3. Start the Password Policy Wizard by clicking New.

  4. Provide a name for the policy and click Next.

  5. Select No to enable PBKDF2 hash of password.

  6. Complete the Password Policy Wizard.