Hi There,
I want to migrate few users from a different vendor LDAP server to CA LDAP 12.x server. I can migrate all the other user profile attributes such as firstname,lastname, cn, emailed and etc but only the challenge I see is password which is stored with bcrypt algorithm in that vendor LDAP server. Now my question is does CA LDAP server support this bcrypt algorithm, since we use sha1 algorithm at CA LDAP server. Please advice
Hello,
By 12.x if you meant CA Directory 12.0, the answer is no. That version does not support bcrypt password hash algorithm.
By 12.x if you meant CA Directory 12.5 and/or 12.6, the answer is yes. Along with bcrypt, it also supports crypt, scrypt and pbkdf2 as well. See more at our online documentation (docops) at:
set password-storage Command - CA Directory - 12.6 - CA Technologies Documentation
Hope this helps.
Thanks,
Hitesh
Thanks Hitesh. Currently in our directory we enabled to use sha1/sha2,Let say we import a user profile with the password bcrypt then it wont be any issue? Eventually this user will be authenticated with siteminder integrated application.
Can we have two algorithms enabled on the directory?
Thanks
Hi Sharathbabu,
Unfortunately the answer is no. CA Directory only supports one password hash algorithm at a time. But again, there should be no problem with what you are trying to do if using CA Directory 12.5 or 12.6 as those versions will accept password in bcrypt format even though you might have 'set password-storage = sha-1;' or 'set password-storage = ssha-512;'.
BTW, CA LDAP is not CA Directory. These are two different products. Just so we are on the same page.
In short, what you might wan to do is:
- Define 'set password-storage = bcrypt;' first in your DSA config file.
- Load the data coming from 3rd party LDAP.
- Start your DSA.
- From here on, whenever SiteMinder integrated application send in a user authentication request (including any password reset/change), it will use bcrypt algorithm at CA Directory layer.
Hope this helps.
Thanks,
Hitesh
Just to clarify, CA Directory can support multiple algorithms with respect to authentication, it can only support a single algorithm with respect to storage.
For authentication, the algorithm used is chosen using the stored hash prefix:
{SHA}qvTGHdzF6KLavt4PO0gs2a6pQ00=
{SHA512}m3HSJL1i83hdltRq0+o9czGb+8KJDKra4t/3JRlnPKcjI8PZm6XBHXx6zG4UuMXaDEZjR1wuXDre9G9zvN7AQw==
When passwords are added or updated the password-storage method is use. This allows for a gradual migration of passwords should a stronger algorithm be configured.
Hi Sharathbabu,
Unfortunately the answer is no. CA Directory only supports one password hash algorithm at a time. But again, there should be no problem with what you are trying to do if using CA Directory 12.5 or 12.6 as those versions will accept password in bcrypt format even though you might have 'set password-storage = sha-1;' or 'set password-storage = ssha-512;'.
BTW, CA LDAP is not CA Directory. These are two different products. Just so we are on the same page.
In short, what you might wan to do is:
- Define 'set password-storage = bcrypt;' first in your DSA config file.
- Load the data coming from 3rd party LDAP.
- Start your DSA.
- From here on, whenever SiteMinder integrated application send in a user authentication request (including any password reset/change), it will use bcrypt algorithm at CA Directory layer.
Hope this helps.
Thanks,
Hitesh