Show Table of Contents
5.8. Checking Passwords
By default, Directory Server uses the
userPassword attribute to store the credentials for an entry. The server encodes the password using the scheme specified in the nsslapd-rootpwstoragescheme attribute for the Directory Manager or passwordStorageScheme attribute for other users. These attributes are defined in the cn=config entry contained in the dse.ldif file. The scheme can be any of the following:
CLEAR— No encryption is used, and can be defined using theclear-password-storage-schemeplug-in.CRYPT— Uses the Unix crypt algorithm, and can be defined using thecrypt-password-storage-schemeplug-in.SHA,SHA256,SHA384,SHA512— Uses the Secure Hashing Algorithm, and can be defined using thesha-password-storage-schemeplug-in.SHAisSHA-1, which is 140 bits. For the others, the number indicates the number of bits used by the hash.SSHA,SSHA256,SSHA384,SSHA512— Uses the Salted Secure Hashing Algorithm, and can be defined using thessha-password-storage-schemeplug-in.SSHAisSSHA-1, which is 140 bits, including the salt. For the others, the number indicates the number of bits used by the hash, including the salt.
To determine if a given password is one of the values of the
userPassword attribute, call the slapi_pw_find_sv() function. This function determines which password scheme was used to store the password and uses the appropriate comparison function to compare a given value against the encrypted values of the userPassword attribute.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.