Hi Kristen,
My apologies on missing to answer to your concern regarding "while preserving the actual password"
The answer is, the current password should be preserved. Once you switch from one encryption algorithm to another (with 'set password-storage' parameter) and restart the DSA, users should be still able to login using the same password. The hash/encryption will only get changed with they reset their password.
NOTE: With the two parameters I have mentioned above, they should be able to reset the password to the *same* password value.
e.g. here is what I tested and it worked.
- For my uid=Hitesh the password was 'test'
- I dump this entry (via JXplorer LDAP browser) to LDIF file and see 'userPassword: xxxxxxxxxx' (xxxxxxx is an example of SHA-1 encryption of 'test')
- I setup my DSA with 'set password-storage = SSHA-512' and restart.
- I am still able login with 'test' as a password using JXplorer.
- I click on 'userPassword' attribute for this entry and enter the same password again as 'test' and save.
- I dumped this entry once again via JXplorer to LDIF file to see what the encryption looks like when I had SSHA-512 in place.
- It shows us as 'userPassword: yyyyyyyyy (yyyyyyy is an example of SSHA-512 encryption of 'test')
- I restart the DSA and still able to login with 'test' as a password for 'uid=Hitesh' as a user.
So in short:
- The current password is preserved.
- To change the encryption, user can reset their own password (even to the same current value)
- When this done, the same clear text password value will get encrypted with new algorithm that is in place and stored in 'userPassword' attribute).
Hope this clears it up.
Cheers,
Hitesh