admin/std/CryptPasswordStorageSchemeConfiguration.xml

eaaa6d3fb6fe0e7ec79a33b436eb5cca09ebd0cdneil_a_wilson<?xml version="1.0" encoding="UTF-8"?>
eaaa6d3fb6fe0e7ec79a33b436eb5cca09ebd0cdneil_a_wilson<!--
188a85993cf1cf9925338176e5f27b95a5891c50matthew_swift  ! CDDL HEADER START
188a85993cf1cf9925338176e5f27b95a5891c50matthew_swift  !
188a85993cf1cf9925338176e5f27b95a5891c50matthew_swift  ! The contents of this file are subject to the terms of the
188a85993cf1cf9925338176e5f27b95a5891c50matthew_swift  ! Common Development and Distribution License, Version 1.0 only
188a85993cf1cf9925338176e5f27b95a5891c50matthew_swift  ! (the "License").  You may not use this file except in compliance
188a85993cf1cf9925338176e5f27b95a5891c50matthew_swift  ! with the License.
188a85993cf1cf9925338176e5f27b95a5891c50matthew_swift  !
8cf870d281dc8c242f083d14dfef05f24aa5fceeJnRouvignac  ! You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
8cf870d281dc8c242f083d14dfef05f24aa5fceeJnRouvignac  ! or http://forgerock.org/license/CDDLv1.0.html.
188a85993cf1cf9925338176e5f27b95a5891c50matthew_swift  ! See the License for the specific language governing permissions
188a85993cf1cf9925338176e5f27b95a5891c50matthew_swift  ! and limitations under the License.
188a85993cf1cf9925338176e5f27b95a5891c50matthew_swift  !
188a85993cf1cf9925338176e5f27b95a5891c50matthew_swift  ! When distributing Covered Code, include this CDDL HEADER in each
8cf870d281dc8c242f083d14dfef05f24aa5fceeJnRouvignac  ! file and include the License file at legal-notices/CDDLv1_0.txt.
8cf870d281dc8c242f083d14dfef05f24aa5fceeJnRouvignac  ! If applicable, add the following below this CDDL HEADER, with the
8cf870d281dc8c242f083d14dfef05f24aa5fceeJnRouvignac  ! fields enclosed by brackets "[]" replaced with your own identifying
8cf870d281dc8c242f083d14dfef05f24aa5fceeJnRouvignac  ! information:
188a85993cf1cf9925338176e5f27b95a5891c50matthew_swift  !      Portions Copyright [yyyy] [name of copyright owner]
188a85993cf1cf9925338176e5f27b95a5891c50matthew_swift  !
188a85993cf1cf9925338176e5f27b95a5891c50matthew_swift  ! CDDL HEADER END
188a85993cf1cf9925338176e5f27b95a5891c50matthew_swift  !
188a85993cf1cf9925338176e5f27b95a5891c50matthew_swift  !
65e99be301d5a19db33f25841f671756e8dbb9b5ludovicp  !      Copyright 2007-2008 Sun Microsystems, Inc.
514f14c29e1f4e70dd41f14864650b075453bdcccjr  !      Portions Copyright 2010-2014 ForgeRock AS
f1a2ebdd0f788574bf313fb668dda4c48742daaccjr  !      Portions Copyright 2012 Dariusz Janny <dariusz.janny@gmail.com>
188a85993cf1cf9925338176e5f27b95a5891c50matthew_swift  ! -->
188a85993cf1cf9925338176e5f27b95a5891c50matthew_swift<adm:managed-object name="crypt-password-storage-scheme"
eaaa6d3fb6fe0e7ec79a33b436eb5cca09ebd0cdneil_a_wilson  plural-name="crypt-password-storage-schemes"
eaaa6d3fb6fe0e7ec79a33b436eb5cca09ebd0cdneil_a_wilson  package="org.opends.server.admin.std"
eaaa6d3fb6fe0e7ec79a33b436eb5cca09ebd0cdneil_a_wilson  extends="password-storage-scheme"
eaaa6d3fb6fe0e7ec79a33b436eb5cca09ebd0cdneil_a_wilson  xmlns:adm="http://www.opends.org/admin"
eaaa6d3fb6fe0e7ec79a33b436eb5cca09ebd0cdneil_a_wilson  xmlns:ldap="http://www.opends.org/admin-ldap">
eaaa6d3fb6fe0e7ec79a33b436eb5cca09ebd0cdneil_a_wilson  <adm:synopsis>
188a85993cf1cf9925338176e5f27b95a5891c50matthew_swift    The
188a85993cf1cf9925338176e5f27b95a5891c50matthew_swift    <adm:user-friendly-name />
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo    provides a mechanism for encoding user passwords like Unix crypt does.
f1a2ebdd0f788574bf313fb668dda4c48742daaccjr    Like on most Unix systems, the password may be encrypted using different
f1a2ebdd0f788574bf313fb668dda4c48742daaccjr    algorithms, either Unix crypt, md5, sha256 or sha512.
eaaa6d3fb6fe0e7ec79a33b436eb5cca09ebd0cdneil_a_wilson  </adm:synopsis>
188a85993cf1cf9925338176e5f27b95a5891c50matthew_swift  <adm:description>
514f14c29e1f4e70dd41f14864650b075453bdcccjr    This scheme contains only an implementation for the user password
514f14c29e1f4e70dd41f14864650b075453bdcccjr    syntax, with a storage scheme name of "CRYPT". Like on most Unixes, the
514f14c29e1f4e70dd41f14864650b075453bdcccjr    "CRYPT" storage scheme has different algorithms, the default being Unix
514f14c29e1f4e70dd41f14864650b075453bdcccjr    crypt.
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo
514f14c29e1f4e70dd41f14864650b075453bdcccjr    Warning: even though Unix crypt is a one-way digest, it is very weak by
514f14c29e1f4e70dd41f14864650b075453bdcccjr    today's standards. Only the first 8 characters in a password are used, and
514f14c29e1f4e70dd41f14864650b075453bdcccjr    it only uses the bottom 7 bits of each character. It only supports a 12-bit
514f14c29e1f4e70dd41f14864650b075453bdcccjr    salt (meaning that there are only 4096 possible ways to encode a given
514f14c29e1f4e70dd41f14864650b075453bdcccjr    password), so it is vulnerable to dictionary attacks.
514f14c29e1f4e70dd41f14864650b075453bdcccjr
514f14c29e1f4e70dd41f14864650b075453bdcccjr    You should therefore use this algorithm only in cases where an external
514f14c29e1f4e70dd41f14864650b075453bdcccjr    application expects to retrieve the password and verify it outside of the
514f14c29e1f4e70dd41f14864650b075453bdcccjr    directory, instead of by performing an LDAP bind.
188a85993cf1cf9925338176e5f27b95a5891c50matthew_swift  </adm:description>
eaaa6d3fb6fe0e7ec79a33b436eb5cca09ebd0cdneil_a_wilson  <adm:profile name="ldap">
eaaa6d3fb6fe0e7ec79a33b436eb5cca09ebd0cdneil_a_wilson    <ldap:object-class>
eaaa6d3fb6fe0e7ec79a33b436eb5cca09ebd0cdneil_a_wilson      <ldap:name>ds-cfg-crypt-password-storage-scheme</ldap:name>
eaaa6d3fb6fe0e7ec79a33b436eb5cca09ebd0cdneil_a_wilson      <ldap:superior>ds-cfg-password-storage-scheme</ldap:superior>
eaaa6d3fb6fe0e7ec79a33b436eb5cca09ebd0cdneil_a_wilson    </ldap:object-class>
eaaa6d3fb6fe0e7ec79a33b436eb5cca09ebd0cdneil_a_wilson  </adm:profile>
188a85993cf1cf9925338176e5f27b95a5891c50matthew_swift  <adm:property-override name="java-class" advanced="true">
eaaa6d3fb6fe0e7ec79a33b436eb5cca09ebd0cdneil_a_wilson    <adm:default-behavior>
eaaa6d3fb6fe0e7ec79a33b436eb5cca09ebd0cdneil_a_wilson      <adm:defined>
eaaa6d3fb6fe0e7ec79a33b436eb5cca09ebd0cdneil_a_wilson        <adm:value>
eaaa6d3fb6fe0e7ec79a33b436eb5cca09ebd0cdneil_a_wilson          org.opends.server.extensions.CryptPasswordStorageScheme
eaaa6d3fb6fe0e7ec79a33b436eb5cca09ebd0cdneil_a_wilson        </adm:value>
eaaa6d3fb6fe0e7ec79a33b436eb5cca09ebd0cdneil_a_wilson      </adm:defined>
eaaa6d3fb6fe0e7ec79a33b436eb5cca09ebd0cdneil_a_wilson    </adm:default-behavior>
eaaa6d3fb6fe0e7ec79a33b436eb5cca09ebd0cdneil_a_wilson  </adm:property-override>
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo    <adm:property name="crypt-password-storage-encryption-algorithm" mandatory="true">
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo    <adm:synopsis>
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo      Specifies the algorithm to use to encrypt new passwords.
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo    </adm:synopsis>
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo    <adm:description>
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo      Select the crypt algorithm to use to encrypt new passwords.
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo      The value can either be "unix", which means the password is encrypted
514f14c29e1f4e70dd41f14864650b075453bdcccjr      with the weak Unix crypt algorithm, or "md5" which means the password is
f1a2ebdd0f788574bf313fb668dda4c48742daaccjr      encrypted with the BSD MD5 algorithm and has a $1$ prefix,
514f14c29e1f4e70dd41f14864650b075453bdcccjr      or "sha256" which means the password is encrypted with the SHA256
514f14c29e1f4e70dd41f14864650b075453bdcccjr      algorithm and has a $5$ prefix, or "sha512" which means the password is
514f14c29e1f4e70dd41f14864650b075453bdcccjr      encrypted with the SHA512 algorithm and has a $6$ prefix.
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo    </adm:description>
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo    <adm:default-behavior>
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo      <adm:defined>
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo        <adm:value>unix</adm:value>
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo      </adm:defined>
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo    </adm:default-behavior>
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo    <adm:syntax>
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo      <adm:enumeration>
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo        <adm:value name="unix">
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo          <adm:synopsis>
514f14c29e1f4e70dd41f14864650b075453bdcccjr            New passwords are encrypted with the Unix crypt algorithm. Passwords
514f14c29e1f4e70dd41f14864650b075453bdcccjr            are truncated at 8 characters and the top bit of each character is
514f14c29e1f4e70dd41f14864650b075453bdcccjr            ignored.
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo          </adm:synopsis>
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo        </adm:value>
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo        <adm:value name="md5">
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo          <adm:synopsis>
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo            New passwords are encrypted with the BSD MD5 algorithm.
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo          </adm:synopsis>
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo        </adm:value>
f1a2ebdd0f788574bf313fb668dda4c48742daaccjr        <adm:value name="sha256">
f1a2ebdd0f788574bf313fb668dda4c48742daaccjr          <adm:synopsis>
f1a2ebdd0f788574bf313fb668dda4c48742daaccjr            New passwords are encrypted with the Unix crypt SHA256 algorithm.
f1a2ebdd0f788574bf313fb668dda4c48742daaccjr          </adm:synopsis>
f1a2ebdd0f788574bf313fb668dda4c48742daaccjr        </adm:value>
f1a2ebdd0f788574bf313fb668dda4c48742daaccjr        <adm:value name="sha512">
f1a2ebdd0f788574bf313fb668dda4c48742daaccjr          <adm:synopsis>
f1a2ebdd0f788574bf313fb668dda4c48742daaccjr            New passwords are encrypted with the Unix crypt SHA512 algorithm.
f1a2ebdd0f788574bf313fb668dda4c48742daaccjr          </adm:synopsis>
f1a2ebdd0f788574bf313fb668dda4c48742daaccjr        </adm:value>
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo      </adm:enumeration>
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo    </adm:syntax>
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo    <adm:profile name="ldap">
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo      <ldap:attribute>
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo        <ldap:name>ds-cfg-crypt-password-storage-encryption-algorithm</ldap:name>
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo      </ldap:attribute>
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo    </adm:profile>
7649c2e5f9b4a50a2e048785f6f911eff3b7a111ludo  </adm:property>
eaaa6d3fb6fe0e7ec79a33b436eb5cca09ebd0cdneil_a_wilson</adm:managed-object>