Reusing passwords encoded with custom hash in OUD

Guest Author

Existing user passwords can be easily migrated to OUD as long as they are hashed with an algorithm supported OOTB by Oracle Unified Directory. The list of password storage schemes supported by OUD is available at http://docs.oracle.com/cd/E22289_01/html/821-1278/password-storage-scheme.html

In some situations, legacy passwords to be migrated are hashed with custom algorithms or old hash algorithms not supported by OUD.  The OUD Extensible Framework can be used to reuse these passwords and migrate them transparently to a new & configurable password storage scheme, without forcing users to change their password.

The proposed plugin intercepts bind requests and add pre&post processing to handle custom algorithm and migrate the password to a new scheme. Here is the high level algorithm:

§1. Plugin intercepts LDAP bind
request as a pre-operation

§2. Determine if the
password stored in the user entry has a custom hash tag
e.g {Custom}

§3a. If the entry has
the custom hash, then hash the clear text password provided by the LDAP client
using the custom password hash.

§3b. If the entry does
not have the custom hash, the skip to step 6

§4. Compare the hashed
value computed from the clear text password with the custom hash contained
in the entry.

§5. If the hash
compare matches, then replace the existing custom hashed password with the hash
algorithm defined by the default password hash storage scheme.

§6. Then pass the bind
through to OUD to bind.

§7. OUD will hash the
clear text value using the default password hash storage scheme and compare
with the value in the directory.

Step 6 always forwards the bind request to the OUD core server to make sure the password policy states are properly updates.

User passwords are migrated progressively over time to the new password storage scheme as users authenticate to the OUD directory. The plugin can them be desactivated when all the passwords have been migrated.

Join the discussion

Comments ( 3 )
  • Asif Thursday, January 8, 2015

    Sylvian, should we also use the above approach to migrate user passwords from one OOTB supported hash algorithm to another OOTB hash algorithm (e.g. from Unsalted SHA1 to Salted SHA512)? Or is there a simpler approach or an OOTB plugin / function provided by Oracle for doing that?

  • Sylvain Duloutre Tuesday, January 20, 2015


    Passwords will be migrated automatically to the new OOTB algo as users change their password. OUD supports authentication based on any supported password format but password will be stored using the password algo specified in the password policy when the password is changed. So some entries might still have the old algo while others use the new one. If you want to do a full switch to the new algo, you can force users to change their passwords.

  • Stefan Tuesday, January 19, 2016

    Hi Sylvian

    In your example, Is the CUSTOM password hash algorithm implemented in the oud plugin? Would it alternatively be possible to extend OUD with a custom password storage scheme?

    One could add a new password storage scheme with dsconfig. I'm just wondering if there is any API documentation available for the current password storage scheme classes and / or examples for a custom password storage scheme class.



Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.