By default OpenDJ hashes passwords such that the clear text versions are no longer available after the data has been imported. For example, you might find entries such as the following in exported LDIF.
dn: uid=bjensen,ou=People,dc=example,dc=com
...
userPassword: {SSHA}87Lko/hZ+ls8T+mdlBj+FjwQYkcR6ly6X5W3Xw==
...
It turns out that you can import the LDIF with pre-encoded passwords directly into OpenDJ, at least versions 2.4.3 and later. (Technically, this works for supported algorithms like SSHA shown in braces in the example above. For a list of supported algorithms for password encryption, run encode-password -l.)
Sometimes you want to update the password with a pre-encoded value, however. Yet OpenDJ default password policy does not let you do so.
$ cat /path/to/abarnes-pwd.ldif
dn: uid=abarnes,ou=people,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword: {SSHA}9RvNtFy7ug0YYk4JZGlyBUfhVFfOJwWgqe9+rA==
$ ldapmodify -p 1389 -D "cn=Directory Manager"
-w password -f /path/to/abarnes-pwd.ldif
Processing MODIFY request for
uid=abarnes,ou=people,dc=example,dc=com
MODIFY operation failed
Result Code: 53 (Unwilling to Perform)
Additional Information: User passwords may
not be provided in pre-encoded form
You can change the default behavior by modifying the advanced password policy property, allow-pre-encoded-passwords, by using the dsconfig command.
$ dsconfig -p 4444 -h `hostname`
-D "cn=Directory Manager" -w password
set-password-policy-prop
--policy-name "Default Password Policy"
--set allow-pre-encoded-passwords:true -X -n
$ ldapmodify -p 1389 -D "cn=Directory Manager"
-w password -f /path/to/abarnes-pwd.ldif
Processing MODIFY request for
uid=abarnes,ou=people,dc=example,dc=com
MODIFY operation successful for DN
uid=abarnes,ou=people,dc=example,dc=com
$ ldapsearch -p 1389
-D "uid=abarnes,ou=people,dc=example,dc=com"
-w password -b dc=example,dc=com
uid=abarnes userPassword
dn: uid=abarnes,ou=People,dc=example,dc=com
userPassword: {SSHA}9RvNtFy7ug0YYk4JZGlyBUfhVFfOJwWgqe9+rA==
For more on password policy configuration, check out the draft admin guide chapter on the subject.
Margin Notes 2.0 
Using pre-encoded passwords might prevent the directory server from enforcing password policy items such as password quality, and for that reason alone, is a bad idea.
Good point, Terry.
In fact the only use case that comes to mind for putting pre-encoded userPassword values back into the directory is when importing the data from LDIF. What are the use cases for authPassword, as in http://tools.ietf.org/html/rfc3112?
A common use case for RFC3112 would be in conjunction with RFC3062 and server-generated passwords.
Maybe I’m going about things the wrong way? Advice appreciated but I am importing a couple of thousand users from an openldap installation to a new OpenDJ server. This will allow me to import the current user passwords without having to enforce a change for everybody.
The user base is mainly student and it is a bit like herding cats so I wish to minimise change for them.
Hello David,
Before trying to import the OpenLDAP data into OpenDJ, make sure that the OpenLDAP schema definitions are also available in OpenDJ. Ludovic Poitou has written a script to convert OpenLDAP schema, http://ludopoitou.wordpress.com/2009/07/31/updated-schema-convert-py-script-for-opends/ to help with that step. The Admin Guide chapter on Schema might help once you’ve converted the OpenLDAP schema and are wondering what to do then, http://opendj.forgerock.org/doc/admin-guide/OpenDJ-Admin-Guide.html#chap-schema
Although you don’t want all users to have to replace their passwords right away, you still probably want to set up a password policy that has them change passwords eventually, and then use acceptable passwords when they do. There’s a chapter in the Admin Guide about password policies, http://opendj.forgerock.org/doc/admin-guide/OpenDJ-Admin-Guide.html#chap-pwd-policy
It’s possible to set up OpenDJ to send mail to active users, warning them for example about password expiration. That’s described in towards the end of the chapter on account lockout, http://opendj.forgerock.org/doc/admin-guide/OpenDJ-Admin-Guide.html#chap-account-lockout
Hope it helps. Regards,
Mark
Good day!
Could you help me please, is there some ability to bind a user by using a pre-encoded password. For example
dn=”displayname=antonius,ou=Users,ou=Public,dc=rlt,dc=ssoauth,dc=net”
userPassword=”{SHA}eyGEismvNb4N2y1rn8OFGTTbhCA=”
I’ve enabled allow-pre-encoded-passwords flag and provided identical userPassword attribute, but this solution doesn’t work for me. Is there some tricks or this ability is not supported specially?
Thanks in advance.
Hi,
Are you sure that the password policy that applies to the user entry has allow-pre-encoded-passwords:true ?
I just tried with a recent build from trunk, 20130624122232Z, and the feature works fine for me:
$ encode-password -c password -s SHA Encoded Password: "{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=" $ dsconfig set-password-policy-prop --policy-name "Default Password Policy" --set allow-pre-encoded-passwords:true --hostname opendj.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --trustAll --no-prompt $ cat new-user.ldif dn: uid=demo,ou=People,dc=example,dc=com cn: demo objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: top sn: demo uid: demo userPassword: {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g= $ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --defaultAdd --defaultAdd --filename new-user.ldif Processing ADD request for uid=demo,ou=People,dc=example,dc=com ADD operation successful for DN uid=demo,ou=People,dc=example,dc=com $ ldapsearch --port 1389 --bindDN uid=demo,ou=People,dc=example,dc=com --bindPassword password --baseDN dc=example,dc=com "(uid=demo)" dn: uid=demo,ou=People,dc=example,dc=com userPassword: {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g= objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: top uid: demo cn: demo sn: demoIf we make a little change
$ ldapsearch –port 1389 –bindDN uid=demo,ou=People,dc=example,dc=com –bindPassword {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g= –baseDN dc=example,dc=com “(uid=demo)”
Will it work too?
I need to bind my user by using the encoded password version.
Hi,
OpenDJ is going to see the encoding scheme, {SHA}, on the stored password and use it to encode what you send it as the password before comparing the encoded value with the value of userPassword.
Regards,
Mark
I understood, thanks a lot
Pingback: Export Crowd users and groups to ldap | Software Libero e non solo