OpenDJ: Using pre-encoded passwords

OpenDJ Community Logo By default OpenDJ hashes passwords such that the clear text versions are no longer available after the data has been imported. For example, you might find entries such as the following in exported LDIF.

dn: uid=bjensen,ou=People,dc=example,dc=com
...
userPassword: {SSHA}87Lko/hZ+ls8T+mdlBj+FjwQYkcR6ly6X5W3Xw==
...

It turns out that you can import the LDIF with pre-encoded passwords directly into OpenDJ, at least versions 2.4.3 and later. (Technically, this works for supported algorithms like SSHA shown in braces in the example above. For a list of supported algorithms for password encryption, run encode-password -l.)

Sometimes you want to update the password with a pre-encoded value, however. Yet OpenDJ default password policy does not let you do so.

$ cat /path/to/abarnes-pwd.ldif
dn: uid=abarnes,ou=people,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword: {SSHA}9RvNtFy7ug0YYk4JZGlyBUfhVFfOJwWgqe9+rA==

$ ldapmodify -p 1389 -D "cn=Directory Manager"
 -w password -f /path/to/abarnes-pwd.ldif
Processing MODIFY request for
 uid=abarnes,ou=people,dc=example,dc=com
MODIFY operation failed
Result Code:  53 (Unwilling to Perform)
Additional Information:  User passwords may
 not be provided in pre-encoded form

You can change the default behavior by modifying the advanced password policy property, allow-pre-encoded-passwords, by using the dsconfig command.

$ dsconfig -p 4444 -h `hostname`
 -D "cn=Directory Manager" -w password
 set-password-policy-prop
 --policy-name "Default Password Policy"
 --set allow-pre-encoded-passwords:true -X -n
$ ldapmodify -p 1389 -D "cn=Directory Manager"
 -w password -f /path/to/abarnes-pwd.ldif
Processing MODIFY request for
 uid=abarnes,ou=people,dc=example,dc=com
MODIFY operation successful for DN
 uid=abarnes,ou=people,dc=example,dc=com
$ ldapsearch -p 1389
 -D "uid=abarnes,ou=people,dc=example,dc=com"
 -w password -b dc=example,dc=com
 uid=abarnes userPassword
dn: uid=abarnes,ou=People,dc=example,dc=com
userPassword: {SSHA}9RvNtFy7ug0YYk4JZGlyBUfhVFfOJwWgqe9+rA==

For more on password policy configuration, check out the draft admin guide chapter on the subject.