Symantec Access Management

  • Private Community

  • 1.  Bcrypt algoritham

    Posted Jul 25, 2017 05:18 PM

    Hi There,

    I want to migrate few users from a different vendor LDAP server to CA LDAP 12.x server. I can migrate all the other user profile attributes such as firstname,lastname, cn, emailed and etc but only the challenge I see is password which is stored with bcrypt algorithm in that vendor LDAP server. Now my question is does CA LDAP server support this bcrypt algorithm, since we use sha1 algorithm at CA LDAP server. Please advice

     

     



  • 2.  Re: Bcrypt algoritham

    Posted Jul 25, 2017 10:08 PM

    Moved this to CA Directory forum.



  • 3.  Re: Bcrypt algoritham

    Broadcom Employee
    Posted Jul 26, 2017 09:21 AM

    Hello,

     

    By 12.x if you meant CA Directory 12.0, the answer is no. That version does not support bcrypt password hash algorithm.

     

    By 12.x if you meant CA Directory 12.5 and/or 12.6, the answer is yes. Along with bcrypt, it also supports crypt, scrypt and pbkdf2 as well. See more at our online documentation (docops) at:

     

    set password-storage Command - CA Directory - 12.6 - CA Technologies Documentation 

     

    Hope this helps.

     

    Thanks,

    Hitesh



  • 4.  Re: Bcrypt algoritham

    Posted Jul 26, 2017 02:05 PM

    Thanks Hitesh. Currently in our directory we enabled to use sha1/sha2,Let say we import a user profile with the password bcrypt  then it wont be any issue? Eventually this user will be authenticated with siteminder integrated application.

    Can we have two algorithms enabled on the directory?

     

    Thanks



  • 5.  Re: Bcrypt algoritham
    Best Answer

    Broadcom Employee
    Posted Jul 26, 2017 02:14 PM

    Hi Sharathbabu,

     

    Unfortunately the answer is no. CA Directory only supports one password hash algorithm at a time. But again, there should be no problem with what you are trying to do if using CA Directory 12.5 or 12.6 as those versions will accept password in bcrypt format even though you might have 'set password-storage = sha-1;' or 'set password-storage = ssha-512;'.

     

    BTW, CA LDAP is not CA Directory. These are two different products. Just so we are on the same page.

     

    In short, what you might wan to do is:

     

    - Define 'set password-storage = bcrypt;' first in your DSA config file.

    - Load the data coming from 3rd party LDAP.

    - Start your DSA.

    - From here on, whenever SiteMinder integrated application send in a user authentication request (including any password reset/change), it will use bcrypt algorithm at CA Directory layer.

     

    Hope this helps.

     

    Thanks,

    Hitesh



  • 6.  Re: Bcrypt algoritham

    Posted Jul 31, 2017 07:53 PM

    Just to clarify, CA Directory can support multiple algorithms with respect to authentication, it can only support a single algorithm with respect to storage.

     

    For authentication, the algorithm used is chosen using the stored hash prefix:
    {SHA}qvTGHdzF6KLavt4PO0gs2a6pQ00=
    {SHA512}m3HSJL1i83hdltRq0+o9czGb+8KJDKra4t/3JRlnPKcjI8PZm6XBHXx6zG4UuMXaDEZjR1wuXDre9G9zvN7AQw==
    When passwords are added or updated the password-storage method is use. This allows for a gradual migration of passwords should a stronger algorithm be configured.