Symantec Access Management

  • 1.  CA Directory password migration issue - SSHA with 128 bits SALT

    Posted Jan 26, 2018 11:11 AM

    Hello,

     

    This is regarding CA Directory version 12.5.0 Build 12858.

     

    We are migrating our current LDAP infrastructure to CA Directory and are experiencing issues migrating users with a hashed password using SSHA-1 with 128 bits.

     

    Migrated user accounts with a hashed password using SSHA-512 with 64 bits SALT or SSHA-1 with 64 bits SALT are able to bind successfully to the CA Directory LDAP.

     

    However, migrated user accounts with hashed password using SSHA-1 with 128 bits SALT are unable to bind and get "LDAP error code 49 -Invalid Credentials". It seems like CA Directory LDAP is not compatible with SSHA-1 passwords using SALT longer than 64 bits.

     

    Can you confirm if CA Directory version 12.5.0 Build 12858 has a limitation with a SSHA-1 password with SALT longer than 64 bits?

     

    Thanks for your help,

     

    David



  • 2.  Re: CA Directory password migration issue - SSHA with 128 bits SALT

    Posted Jan 29, 2018 10:26 AM

    I've generated many SSHA passwords with different SALT length and here are my results:

     

      64 Bits SALT -> BIND successful

      72 Bits SALT -> BIND successful

      80 Bits SALT -> BIND successful

      88 Bits SALT -> BIND failed

      96 Bits SALT -> BIND failed

    104 Bits SALT -> BIND failed

     

    Note: We are able to use these passwords on our old LDAP infrastructure and the BINDs are always successful. The BIND issue is only present in our CA Directory environment.



  • 3.  Re: CA Directory password migration issue - SSHA with 128 bits SALT
    Best Answer

    Broadcom Employee
    Posted Jan 31, 2018 12:02 PM

    Duplicate upport cases - 00950481, 00950510, 00950596 - opened for this today.