I would like to know if there are any approaches to convert Password to different Hashing algorithm while preserving the actual password.
Does anyone have an answer here?
If CA's own Hitesh Patel can't answer this, no one can. You might try alerting him to the thread.
Thanks, Josh! I will reach out to Hitesh_Patel.
The default encryption algorithm used by CA Directory when storing a password value within 'userPassword' attribute is 'SHA-1'. If you prefer to change to something else (e.g. SHA-512), you need to activate CA Directory Password Policy and defined at least the following parameter:
set password-policy = true; # This enables PP on DSA.
set password-storage = sha-512; #sets password encryption algorithm.
Once done, you need to restart your CA Directory DSA in question for this value to be effective.
This will still preserve the actual hash that was generated with SHA-1 (original value) when user tries to log in and should be able to login successfully. The hash will change to 'SHA-512' when a user "changes" their password. Until a password change is made, the old 'SHA-1' encryption will stay effective.
You can also run 'dxpassword --help' command at the system prompt where you have CA Directory running to see usage and what other hash algorithms are support by CA Directory DSA.
Hope this helps.
My apologies on missing to answer to your concern regarding "while preserving the actual password"
The answer is, the current password should be preserved. Once you switch from one encryption algorithm to another (with 'set password-storage' parameter) and restart the DSA, users should be still able to login using the same password. The hash/encryption will only get changed with they reset their password.
NOTE: With the two parameters I have mentioned above, they should be able to reset the password to the *same* password value.
e.g. here is what I tested and it worked.
- For my uid=Hitesh the password was 'test'
- I dump this entry (via JXplorer LDAP browser) to LDIF file and see 'userPassword: xxxxxxxxxx' (xxxxxxx is an example of SHA-1 encryption of 'test')
- I setup my DSA with 'set password-storage = SSHA-512' and restart.
- I am still able login with 'test' as a password using JXplorer.
- I click on 'userPassword' attribute for this entry and enter the same password again as 'test' and save.
- I dumped this entry once again via JXplorer to LDIF file to see what the encryption looks like when I had SSHA-512 in place.
- It shows us as 'userPassword: yyyyyyyyy (yyyyyyy is an example of SSHA-512 encryption of 'test')
- I restart the DSA and still able to login with 'test' as a password for 'uid=Hitesh' as a user.
So in short:
- The current password is preserved.
- To change the encryption, user can reset their own password (even to the same current value)
- When this done, the same clear text password value will get encrypted with new algorithm that is in place and stored in 'userPassword' attribute).
Hope this clears it up.