Configuring for user and administrator password encryption or hashing

The LDAP server allows prevention of unauthorized access to user or administrator passwords in the LDBM, TDBM, and CDBM backends. The userPassword and ibm-slapdAdminPw attribute values can be encrypted or hashed when stored in the directory, which prevents clear text passwords from being accessed by any users, including the system administrators. Use of the terms "user password" and "password" pertain to the userPassword attribute. Use of the term "user entry" refers to an entry in LDBM, TDBM, or CDBM that contains a userPassword attribute. Use of the terms "administrator password" and "password" pertain to the ibm-slapdAdminPw attribute. Use of the term "administrator entry" refers to an entry in LDBM, TDBM, or CDBM that contains an ibm-slapdAdminPw attribute.

An administrator may configure the server to encrypt or hash userPassword and ibm-slapdAdminPw attribute values in either a one-way hashing format or a two-way, symmetric, encryption format. The pwEncryption configuration option in an LDBM, TDBM, or CDBM section of the LDAP server configuration file specifies the encryption method that is to be used to encrypt or hash the userPassword and ibm-slapdAdminPw attribute values in that LDBM, TDBM, or CDBM backend. For more information about the password encryption or hashing types, see the pwEncryption option at pwEncryption {none | crypt | MD5 | SHA | SSHA | DES:keylabel | AES:keylabel}.

After the server is configured and started, any user or administrator passwords for new user or administrator entries or modified passwords for existing user or administrator entries are encrypted or hashed before they are stored in either the LDBM, TDBM, or CDBM backend. The encrypted or hashed passwords are tagged with the encryption algorithm name so that passwords encrypted or hashed in different formats can coexist in the directory. If a tagged encrypted or hashed userPassword or ibm-slapdAdminPw attribute value is present on an add or modify operation, the attribute value is added as it is, with no additional encryption or hashing performed on the value even if the pwEncryption configuration option is set to a different type of encryption or hashing.

If the pwEncryption configuration option in an LDBM, TDBM, or CDBM backend is changed, existing passwords remain unchanged and continue to be usable. In other words, existing user and administrator password values are not automatically converted to the new encryption method or key label.

The db2pwden utility is provided as a migration utility to encrypt or hash all unencrypted, AES encrypted, or DES encrypted userPassword attribute values in the encryption or hashing method specified by the pwEncryption configuration option in the LDBM, TDBM, or CDBM backend. The db2pwden utility does not convert encrypted or hashed ibm-slapdAdminPw attribute values. For example, the db2pwden utility allows an LDAP administrator to convert passwords from AES to DES, DES to AES, or AES to crypt. The db2pwden utility is similar to the LDAP client utilities, such as ldapsearch, in that it acts such as a client to the LDAP server and has similar command-line parameters. For more information about the db2pwden utility, db2pwden utility. The db2pwden utility must be run by an LDAP administrator with the appropriate authority or a user with the authority to update userPassword values. See Administrative group and roles for more information about administrative role authority.

If the pwEncryption configuration option is changed from AES or DES encryption to another encryption or hashing method or to a different AES or DES key label, the LDAP server must have access to the original AES or DES key label so that decryption of existing userPassword and ibm-slapdAdminPw values still occurs on bind, search, and compare operations. If you want to remove the LDAP server's access to the original AES or DES key label, it is necessary to migrate all existing AES or DES userPassword values to the new encryption or hashing method or new AES or DES key label by using the db2pwden utility. To migrate all existing AES or DES ibm-slapdAdminPw values to the new encryption method or new AES or DES key label, each entry that contains an ibm-slapdAdminPw value must be searched to obtain its value. Then, these entries must be manually modified using the ldapmodify utility to replace the existing value with the same value so that the new encryption or hashing method is used. After all AES or DES encrypted passwords are converted to the new encryption or hashing method or new AES or DES key label, the LDAP servers access to the original AES or DES key label can be removed.

A simple bind succeeds if the password provided in the bind request matches any of the multiple values of the userPassword attribute. A simple bind succeeds with an administrator entry if the password provided in the bind request matches the single ibm-slapdAdminPw attribute value. Note that depending on when userPassword or ibm-slapdAdminPw values are stored in the directory, different attribute values can be encrypted or hashed using different encoding methods.

When ldif2ds is used to load a TDBM backend, all clear text userPassword and ibm-slapdAdminPw attribute values in new entries are encrypted or hashed by the method specified on the pwEncryption configuration option in the LDAP server configuration file. If there is a tagged encrypted or hashed userPassword or ibm-slapdAdminPw attribute value in an entry, the attribute value is added as it is, with no additional encryption or hashing performed on the value even if the pwEncryption configuration option is set to a different type of encryption or hashing.

For information about the unloading of userPassword and ibm-slapdAdminPw attribute values in the ds2ldif utility, see ds2ldif utility.