Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-8127

PBKDF2 inconsistent iteration count on setup vs default password-policy

    XMLWordPrintable

Details

    • Bug
    • Status: Done
    • Major
    • Resolution: Fixed
    • 7.2.0
    • 7.2.0, 2021.9
    • None

    Description

      After a setup with evaluation profile, we can see that uid=admin and uid=Monitor users have a password hashed with an iteration count = 10000

      #$ cat db/monitorUser/monitorUser.ldif
      dn: uid=Monitor
      ...
      userPassword: {PBKDF2-HMAC-SHA256}10000:OkV/zUISefs6HqT9gfeXW18lF6xeBc1fZoeYSbyst5RcW//vcwX+f673h77G67ul 

      but, given the password policy is configured to use an iteration count = 10, those password are re-hased and rewritten after the first successful BIND:

      #$ cat db/monitorUser/monitorUser.ldif dn: uid=Monitor ...
      userPassword: {PBKDF2-HMAC-SHA256}10:YXdG8M6xjP2KcK/+I9W/HoZz2XMGEZaBMgDK5EtIMpqzaRFrPUtT02Gjju7vSQHl 

       

      It feels like either the setup tool should hash password with an iteration count of 10 or, the password policy should be updated to use an iteration count of 10000.

      Acceptance critera:

      • userPassword of uid=admin and uid=Monitor are no more re-hashed/re-written after the first BIND.

       

      Attachments

        Activity

          People

            cforel carole forel
            ylecaillez Yannick Lecaillez
            Ludovic Poitou Ludovic Poitou
            carole forel carole forel
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: