PBKDF2 password encryption algorithm limitations
Known limitations exist with PBKDF2 password encryption.
- Replication and distributed directory (Proxy LDAP server) support
-
If you want to use PBKDF2 in a replicated or distributed directory environment, all the servers must be updated to use the same configuration.
See Configuring PBKDF2 password encryption with Security Verify Directory.
If you do not update the configuration, you will experience unstable passwords across different ldap servers in the topology.
- Passwords with special characters
-
Passwords with special characters must be passed as parameters with single quotes around it. For example:
idsldapsearch -p 389 -D cn=user1,o=sample -w 'Passw0Rd$678' -b o=sample -s sub objectclass=*This limitation is applicable to all supported older algorithms.
- Changing from PBKDF2-SHA* to AES256 or any other AES encryption method
-
If ibm-slapdUseNonFIPSCrypt is set to false or removed altogether from the ibmslapd.conf file, then the bind with valid credentials for an existing user whose password is still encrypted by using PBKDF2* methods fails.
- Migration from IBM® Security Verify Directory 6.4 to IBM Security Directory Suite Virtual Appliance 8.0.1
- Migration from IBM Security Verify Directory 6.4 to IBM Security Directory Suite, virtual appliance, 8.0.1 that is configured with PBKDF2 encryption is currently not supported. The server may not start or migration might not work at all. The idsimigr command might fail.
- Web Admin Tool support
- Configuring PBKDF2 password encryption mechanism is not supported through Web Admin Tool. You can use the idsldapmodify command to configure PBKDF2 password encryption.
- Attribute encryption support
- Attribute encryption is not supported with PBKDF2 encryption. PBKDF2 is supported only for password encryption.