Password storage plugins | HP UX Identity Security Software specs

For more information on using the different password storage schemes, see the "User Account Management" chapter in the HP-UX Directory Server administrator guide

CAUTION:

Do not modify the configuration of the password scheme plug-ins. HP recommends leaving these plug-ins running at all times.

Table 3-3 Password storage plugins

Storage scheme name	Usage notes
CLEAR	This encryption method is required for using SASL/DIGEST-MD5.
CRYPT	This storage scheme is not very secure and is included only for compatibility with
	legacy servers and to allow migration.
DES	This encryption scheme is used only for reversible encryption and is available for
	certain plug-ins; this is not intended for password storage.
MD5	This storage scheme is not very secure and is included only for compatibility with
	legacy servers and to allow migration.
NS-MTA-MD5	The NS-MTA-MD5 password storage scheme cannot be used to encrypt passwords.
	The storage scheme is still present for backward compatibility for any entries stored
	in the directory with passwords encrypted with the NS-MTA-MD5 password storage
	scheme.
SHA	If there are no passwords encrypted using the SHA password storage scheme, this
	plug-in can be turned off.
	Instead of encrypting passwords with the SHA password storage scheme, HP
	recommends choosing SSHA instead because it is more secure.
SHA256	Use SHA256 or higher to encrypt passwords because these are stronger encryption
	schemes.
SHA384	This storage scheme is recommended for password storage because of its strength.
SHA512	This storage scheme is recommended for password storage because of its strength.
SSHA	This is recommended instead of SHA because it is a stronger encryption screen.
	However, HP recommends using at least the SSHA256 storage scheme or higher
	because these are stronger schemes.
SSHA256	Use SSHA256 or higher to encrypt passwords because these are stronger encryption
	schemes.
SSHA384	This storage scheme is recommended for password storage because of its strength.
SSHA512	This storage scheme is recommended for password storage because of its strength.

3.1.26 Postal address string syntax plug-in

Plug-in parameter	Description
Plug-in Name	Postal Address Syntax
DN of Configuration Entry	cn=Postal Address Syntax, cn=plugins, cn=config
Description	Syntax used for handling postal addresses
Configurable Options	on or off
Default Setting	on
Configurable Arguments	None
Dependencies	None

3.1 Server plug-in functionality reference 123

Image 123

HP UX Identity Security Software manual Postal address string syntax plug-in, Password storage plugins

Contents

HP-UX Directory Server Version Page Table of Contents Table of Contents Table of Contents Nsslapd-state Nsslapd-backend 3.33.4 Nsssl3ciphers 113 Nsslapd-idl-switch Password Storage SchemesSchema reload plug-in Nsslapd-pluginEnabled NsMaxTestResponseDelay Cn=userRoot, cn=ldbm database, cn=plugins, cn=configCn=ldbm database, cn=plugins, cn=config NsMaxResponseDelay 173 169 189 Finding and executing command-line scripts 215 215239 243 247257 Page Directory Server instance file reference Directory Server configurationUsing Directory Server command-line utilities Directory Server configuration Introduction Using Directory Server command-line scripts Ldif and schema configuration files Overview of the Directory Server configuration Directory Server Ldif configuration files Directory Server Ldif configuration files How the server configuration is organizedConfiguration attributes Configuration of plug-in functionality Configuration of indexes Accessing and modifying server configurationAccess control for configuration entries Configuration of databases Changing configuration attributes Modifying configuration entries using LdapWhere Configuration changes requiring server restart Core server configuration attributes reference Nsslapd-accesslog Access log 1 cn=config Attribute values for enabling or disabling access logging Nsslapd-accesslog-level Access log levelNsslapd-accesslog-list List of access log files Nsslapd-accesslog-logbuffering Log buffering Valid Range Nsslapd-accesslog-logging-enabled Access log enable loggingDefault Value Syntax Directory String Example Valid Values EntryDN Cn=config Valid Range Disk space allowed to the access log is unlimited in sizeSyntaxDirectoryString Example Syntax DirectoryString Example Nsslapd-accesslog-maxlogsize Access log maximum log size Nsslapd-accesslog-logrotationtime Access log rotation time SyntaxInteger Example Nsslapd-accesslog-mode Access log file permission Nsslapd-auditlog Audit log ValidRange Through Default Value 600 Syntax Integer ExampleDefault Value Off Syntax DirectoryString Example Nsslapd-attribute-name-exceptions EntryDN Nsslapd-auditlog-listAttribute values for enabling or disabling audit logging Provides a list of audit log files Disk space allowed to the audit log is unlimited in size Nsslapd-auditlog-logging-enabled Audit log enable loggingEntry DN Cn=config Valid Values Turns audit logging on and off Syntax Integer Example Nsslapd-auditlog-logrotationsynchour Valid Range Through Default Value Nsslapd-auditlog-logrotationtime Audit log rotation time Syntax Integer Example Nsslapd-auditlog-logrotationsyncminTime between audit log file rotation is unlimited Nsslapd-auditlog-maxlogsize Audit log maximum log size Nsslapd-auditlog-mode Audit log file permissionNone Read only Execute only Write only Read and write Write and execute Write access to the server user IDNsslapd-certdir Certificate and key database directory Nsslapd-certmap-basedn Certificate map search base Nsslapd-counters Nsslapd-configThis read-only attribute is the config DN Nsslapd-conntablesize Nsslapd-csnlogging Nsslapd-ds4-compatible-schemaDefault Value Syntax DirectoryString Example Default Value Off Core server configuration reference Nsslapd-errorlog Error log Nsslapd-errorlog-level Error log levelAttribute values for enabling or disabling error logging This read-only attribute provides a list of error log files Nsslapd-errorlog-list Turns error logging on and off Nsslapd-errorlog-logging-enabled Enable error logging Disk space allowed to the error log is unlimited in size Time between error log file rotation is unlimited Nsslapd-errorlog-logrotationtime Error log rotation time Nsslapd-errorlog-maxlogsize Maximum error log size Nsslapd-errorlog-mode Error log file permission Nsslapd-idletimeout Default idle timeoutNsslapd-groupevalnestlevel Nsslapd-lastmod Track modification time Nsslapd-ioblocktimeout IO block time outDefault Value Syntax Integer Example Nsslapd-idletimeout Nsslapd-instancedir Instance directory Nsslapd-ldapilisten Enable Ldapi socket Nsslapd-ldapifilepath Ldapi socket file pathNsslapd-listenhost Listen to IP address Nsslapd-lockdir Server lock file directory Default Value SyntaxDirectoryString ExampleNsslapd-localhost Local host Nsslapd-localuser Local user Nsslapd-maxdescriptors Maximum file descriptors Nsslapd-maxbersize Maximum message size Nsslapd-maxsasliosize Maximum Sasl packet size Nsslapd-maxthreadsperconn Maximum threads per connection Nsslapd-nagleThis attribute value is specified in bytes Nsslapd-port Port number Nsslapd-outbound-ldap-io-timeoutDefault Value Core server configuration reference Nsslapd-plugin Nsslapd-readonly Read only Nsslapd-referral ReferralBut the request is for this entry Nsslapd-reservedescriptors Reserved file descriptors Nsslapd-referralmode Referral mode Nsslapd-rewrite-rfc1274 Nsslapd-return-exact-case Return exact case Nsslapd-rootpw Root password Default Value SyntaxNsslapd-rootdn Manager DN Nsslapd-saslpath Nsslapd-rootpwstoragescheme Root password storage scheme Nsslapd-schemadir Nsslapd-schemacheck Schema checking Nsslapd-schemareplace Nsslapd-securelistenhostNsslapd-securePort Encrypted port number Nsslapd-sizelimit Size limit Nsslapd-security Security Default Value Syntax Integer Example Nsslapd-threadnumber Nsslapd-threadnumber Thread numberNsslapd-timelimit Time limit Nsslapd-versionstring PasswordChange Password changeIndicates whether users may change their passwords Nsslapd-tmpdir PasswordExp Password expiration PasswordCheckSyntax Check password syntax Default Value Syntax Integer Example PasswordGraceLimit PasswordGraceLimit Password expirationPasswordHistory Password history PasswordInHistory Number of passwords to remember PasswordIsGlobalPolicy Password policy and replication PasswordLockout Account lockoutPasswordLockoutDuration Lockout duration Default Value Syntax Integer Example PasswordMaxFailure PasswordMaxAge Password maximum agePasswordMaxFailure Maximum password failures PasswordMaxRepeats Password syntax PasswordMin8Bit Password syntax PasswordMinAge Password minimum ageDefault Value Syntax Integer Example PasswordMinAge PasswordMinLength Password minimum length PasswordMinAlphas Password syntaxPasswordMinCategories Password syntax PasswordMinDigits Password syntax PasswordMinLowers Password syntax PasswordMinSpecials Password syntaxPasswordMinTokenLength Password syntax PasswordMinUppers Password syntax PasswordMustChange Password must changePasswordStorageScheme Password storage scheme PasswordWarning Send warning PasswordUnlock Unlock account Nsslapd-changelogdir 2 cn=changelog5,cn=config Nsslapd-changelogmaxentries Max changelog records 3 cn=encryption,cn=configNssslsessiontimeout Nsslapd-changelogmaxage Max changelog age NsSSL2 Means disallow certificate-based authenticationDefault Value Off Syntax DirectoryString Example Nsssl2 off Nssslclientauth Nsssl3ciphers 4 cn=features,cn=config5 cn=mapping tree,cn=config Suffix configuration attributes under cn=suffixName To requests made by client applications Nsslapd-stateNsslapd-backend Determines how the suffix handles operations NsDS5Flags NsDS5ReplicaBindDNNsDS5ReplicaChangeCount NsDS5ReplicaName NsDS5ReplicaPurgeDelayNsDS5ReplicaId NsDS5ReplicaLegacyConsumer NsDS5ReplicaReferral NsDS5ReplicaRootNsDS5ReplicaTombstonePurgeInterval NsDS5ReplicaType NsDS5ReplicaReapActiveNsState NsDS5ReplConflict 8.1 cnDescription NsDS5ReplicaBusyWaitTime NsDS5ReplicaBindMethod NsDS5ReplicaHost SchemaNsDS5ReplicaChangesSentSinceStartup NsDS5ReplicaCredentials Time NsDS5ReplicaLastInitEndNsDS5ReplicaLastInitStart NsDS5ReplicaLastInitStatus NsDS5ReplicaPort NsDS5ReplicaLastUpdateEndNsDS5ReplicaLastUpdateStart NsDS5ReplicaLastUpdateStatus NsDS5ReplicaPriority Default Value SyntaxInteger ExamplensDS5ReplicaPort389 NsDS5ReplicaSessionPauseTime NsDS5BeginReplicaRefresh NsDS5ReplicaTimeout Valid Range Default Value SyntaxDirectoryString ExampleNsDS5ReplicatedAttributeList NsDS5ReplicaUpdateInProgress NsDS5ReplicaUpdateScheduleNsDS5ReplicaTransportInfo NsDS5ReplicaLastUpdateEnd NsDS50ruvSunday Nsds7DirsyncCookie Nsds7NewWinGroupSyncEnabledNsds7NewWinUserSyncEnabled Nsds7DirectoryReplicaSubtree WinSyncInterval 10 cn=monitorNsds7WindowsDomain Nsds7WindowsReplicaSubtree This is the number of completed operations For exampleConnection table Greenwich Mean Time 11 cn=replication 12 cn=SNMP,cn=configNssnmpenabled This attribute sets whether Snmp is enabled Nssnmpdescription NssnmporganizationNssnmplocation Nssnmpcontact Snmp statistic attributes Snmp statistic attributesNssnmpmasterhost Nssnmpmasterport Snmp statistic attributes 14 cn=tasks,cn=config Task invocation attributes for entries under cn=tasks Entry DN Default Value Syntax DirectoryString Example Ttl 14.2 cn=import,cn=tasks,cn=config NsFilename file1.ldif NsFilename file2.ldif Default Value Syntax Integer Example NsImportChunkSize 14.3 cn=export,cn=tasks,cn=config Valid Values Any DN Core server configuration reference Syntax Case-insensitive string Example NsPrintKey false Default Value Syntax DN, multi-valued ExampleSyntax Case-insensitive string Example NsUseOneFile true Syntax Case-insensitive string Example NsExportReplica true Syntax Case-insensitive string Example NsDumpUniqId true 14.4 cn=backup,cn=tasks,cn=configSyntax Case-insensitive string Example NsUseId2Entry true Syntax Case-insensitive string Example NsNoWrap false 14.5 cn=restore,cn=tasks,cn=config Syntax Case-exact string Example 14.6 cn=index,cn=tasks,cn=config NsIndexAttribute attributeindex1,index2 14.7 cn=schema reload task,cn=tasks,cn=config 14.8 cn=memberof task,cn=tasks,cn=config 15 cn=uniqueid generator,cn=config 112 Server plug-in functionality reference 1 7-bit check plug-inServer plug-in functionality reference ACL plug-in ACL preoperation plug-inAttribute uniqueness plug-in Boolean syntax plug-in Binary syntax plug-in Case ignore string syntax plug-in Plug-in Name Chaining Database DN of Configuration EntryDescription Syntax for handling DNs Configurable Options Case exact string syntax plug-in Dependencies None Performance Related Class of service plug-inCountry string syntax plug-in Distinguished name syntax plug-in Plug-in Name Distributed numeric assignment plug-inGeneralized time syntax plug-in Details of distributed numeric assignment plug-in Internationalization plug-in Http client plug-in Information Further Information Jpeg syntax plug-inLdbm database plug-in Legacy replication plug-in MemberOf plug-in Multi-master replication plug-inDetails of MemberOf plug-in Password Storage Schemes Octet string syntax plug-inOID syntax plug-in Postal address string syntax plug-in Password storage plugins Referential integrity postoperation plug-in PTA plug-in Applications Retro Changelog plug-inRoles plug-in Both presence and equality Schema reload plug-in Details of schema reload plug-inSpace insensitive string syntax plug-in Resource Locators Telephone syntax plug-inURI syntax plug-in Views plug-in This attribute specifies the full path to the plug-in List of attributes common to all plug-insAccount policy plug-in Nsslapd-pluginPath Nsslapd-pluginId Nsslapd-pluginEnabledNsslapd-pluginInitfunc Nsslapd-pluginType Nsslapd-pluginDescription Attributes allowed by certain plug-insNsslapd-pluginVersion Nsslapd-pluginVendor Nsslapd-pluginLoadGlobal Nsslapd-plugin-depends-on-typeNsslapd-plugin-depends-on-named NsLookthroughLimit Database plug-in attributes Nsslapd-cache-autosize-split Nsslapd-cache-autosize Nsslapd-dbcachesize Nsslapd-db-checkpoint-intervalPlatforms Nsslapd-db-durable-transactions Default Value Database plug-in attributesNsslapd-db-circular-logging Nsslapd-db-debug Nsslapd-db-idl-divisor Nsslapd-db-home-directory Automatically adjusted to the minimum value Nsslapd-db-logbuf-sizeNsslapd-db-logdirectory Nsslapd-db-private-import-mem Valid Range Bytes to 64 kilobytes Default ValueNsslapd-db-logfile-size Nsslapd-db-page-size Nsslapd-db-transaction-batch-val Nsslapd-db-spin-count Nsslapd-db-trickle-percentage Nsslapd-db-verboseNsslapd-dbncache Nsslapd-idl-switch Nsslapd-directoryNsslapd-exclude-from-export Nsslapd-idlistscanlimit Nsslapd-import-cachesizeNsslapd-import-cache-autosize Memory to importCache No access for other usersDefault Value 600 Database plug-in attributes Nsslapd-mode Nsslapd-search-bypass-filter-test Nsslapd-search-use-vlv-indexNsslapd-serial-lock Nsslapd-cachememsize Nsslapd-cachesize Nsslapd-readonly Nsslapd-require-indexNsslapd-suffix Database plug-in attributes 5.1 cn NsSystemIndexThis attribute provides the name of the attribute to index NsMatchingRule NsIndexType Indexed attribute representing a subentry NsSubStrBegin NsSubStrMiddle NsSubStrEnd Encrypted attributes under the cn=config node Database link plug-in attributes chaining attributes Database link plug-in attributes chaining attributesNsEncryptionAlgorithm NsActiveChainingComponents NsMaxResponseDelay NsMaxTestResponseDelayNspossiblechainingcomponents NsTransmittedControls NsAbandonedSearchCheckIntervalNsBindConnectionsLimit NsCheckLocalACI NsBindTimeoutDefault Value Syntax Integer Example NsBindRetryLimit NsOperationConnectionsLimit NsConcurrentBindLimitNsConcurrentOperationsLimit NsConnectionLife NsProxiedAuthorization NsReferralOnScopedSearchNsSizeLimit NsBindMechanism NsTimeLimit NsFarmServerURL NsMultiplexorBindDNValid Values Empty NsUseStartTLS Encryption schemaNsMultiplexorCredentials Nshoplimit Nsslapd-changelogdir Retro changelog plug-in attributes DnaMagicRegen Distributed numeric assignment plug-in attributesNsslapd-changelogmaxage Max changelog age DnaFilter DnaMaxValue DnaNextRangeDnaNextValue Bit systems DnaRangeRequestTimeoutDefault Value Syntax Integer Example DnaNextValue DnaPrefix DnaScope DnaSharedCfgDNDnaThreshold Memberofgroupattr MemberOf plug-in attributesDnaType Memberofattr Account policy plug-in attributes Database files Backup filesConfiguration files Overview of Directory Server files Deleted, or modified in any way Setup-ds-admin.plscript is runAt setup for example, dc=example,dc=com Used internally by the database and should not be moved PID files Ldif filesLock files Log files Scripts Tools Access logging levels Access log reference File descriptor Default access logging contentExample 5-1 Example access log Connection number Method type Error numberSlot number Operation number Number of entries Elapsed timeLdap request type Search scope Unindexed search indicatorLdap response type VLV-related entries LDAPv3 extended operations supported by Directory Server Extended operation OIDChange sequence number Abandon message Access log content for additional access logging levels Message IDSasl multi-stage bind logging Common connection codes Connection descriptionOptions description Common connection codes Error log referenceError log logging levels Error log levels Error log levels Error log content Example 5-3 Error log excerpt Error log content for other log levels Into pending list Example 5-4 Replication error log entry Timestamp Pluginname message Timestamp function message Example 5-6 Config file processing log entry Example 5-7 Access control summary loggingAudit log reference Ldap result codes Example 5-8 Audit log contentLdap result codes Audit log does not have any other log level to set Ldap Adminlimitexceeded LdapLdap result codes Referral Ldap Commonly-used command-line utilities Finding and executing command-line utilitiesUsing special characters Command-line utilities quick reference Ldapsearch syntax LdapsearchLdapsearch syntax Commonly-used ldapsearch options Commonly-used ldapsearch options Persistent search options Persistent search optionsLdapsearch SSL options Commonly-used ldapsearch options Additional SSL ldapsearch options Ldapsearch Sasl options Sasl options Description of CRAM-MD5 mechanism options Require forward secrecy Do not permit mechanisms that allow anonymous accessDescription of CRAM-MD5 mechanism options Do not permit mechanisms susceptible to active attacks Maxbufsize Description of DIGEST-MD5 Sasl mechanism options Required Mech=DIGEST-MD5 Gives the Sasl MechanismFollowing UID. For example Additional ldapsearch options Description of Gssapi Sasl mechanism options10 Additional ldapsearch options 10 Additional ldapsearch options 11 Commonly-used ldapmodify options LdapmodifyLdapmodify syntax Commonly-used ldapmodify options Ldapmodify SSL options 11 Commonly-used ldapmodify options12 ldapmodify SSL options Ldapmodify Sasl options 12 ldapmodify SSL options13 Sasl options Ldapdelete Additional ldapmodify options14 Additional ldapmodify options 15 Commonly-used ldapdelete options Ldapdelete syntaxCommonly-used ldapdelete options Ldapdelete SSL options Ldapdelete Sasl options 16 ldapdelete SSL options17 Sasl options 18 Additional ldapdelete options LdappasswdAdditional ldapdelete options Ldappasswd syntax 20 General ldappasswd options Ldappasswd-specific optionsGeneral ldappasswd options 19 ldappasswd-specific options 20 General ldappasswd options Ldappasswd Sasl options Ldappasswd examples 21 Sasl optionsSix values Ldif Example 6-2 Directory Manager generating a users passwordExample 6-3 User changing his own password Ldif Ldif options Ldif command has the following formatDbscan Ldif syntax 24 Entry file options Dbscan optionsDbscan examples 23 Common options Example 6-7 Dumping the entry file Example 6-8 Displaying VLV index file contentsExample 6-13 Displaying the changelog file contents Example 6-14 Dumping the index file uid.db4 with raw mode Shell scripts in /opt/dirsrv/slapd-instancename Finding and executing command-line scriptsCommand-line scripts quick reference Saveconfig This section covers the following scripts Shell scriptsPerl scripts in /opt/dirsrv/slapd-instancename Scripts in /opt/dirsrv/bin Bak2db options 1 bak2db Restores a database from backupCl-dump Dumps and decodes the changelog Syntax Dbverify options Dbverify Checks for corrupt databasesCl-dump options Options 5 db2ldif Exports database contents to Ldif 4 db2bak Creates a backup of a database Db2index options 6 db2index Reindexes database index filesLdif2db Import Reindex cn and givenname in the database instance userRoot 10 ldif2ldap options Pwdhash Prints encrypted passwordsLdif2ldap Performs import operation over Ldap Ldif2db options Syntax monitor Monitor Retrieves monitoring informationRepl-monitor Monitors replication status 11 pwdhash options Hostportbinddnbindpwdbindcert Restoreconfig Restores Administration Server configuration Saveconfig Saves Administration Server configurationRestart-slapd Restarts the Directory Server Vlvindex Creates virtual list view indexes Start-slapd Starts the Directory ServerStop-slapd Stops the Directory Server Suffix2instance Maps a suffix to a backend name Options Either the -nor the -soption must be specified 1 bak2db.pl Restores a database from backupRestores a database from a backup Perl scripts Cl-dump.pl Dumps and decodes the changelog 3 db2bak.pl Creates a backup of a database19 cl-dump.pl command options Creates a backup of the database 4 db2index.pl Creates and generates indexes 5 db2ldif.pl Exports database contents to Ldif 22 db2ldif.pl options Fixup-memberof.pl Regenerate memberOf attributes Ldif2db.pl Import 23 fixup-memberof.pl options24 ldif2db.pl options 25 Information extracted from access logs Logconv.pl Log converter24 ldif2db.pl options 26 logconv.pl options Ns-accountstatus.pl Establishes account status 27 logconv.pl options to display occurrences28 ns-accountstatus.pl options 29 ns-activate.pl options Ns-activate.pl Activates an entry or group of entriesNs-inactivate.pl Inactivates an entry or group of entries Activates an entry or group of entries 32 repl-monitor.pl options Repl-monitor.pl Monitors replication status31 ns-newpwdpolicy.pl options Shows in-progress status of replication Where Verify-db.pl Check for corrupt databases Schema-reload.pl Reload schema files dynamically33 schema-reload.pl options Schemadirectory script uses the default schema directory Command, then it uses the default database directory 34 verify-db.pl optionUsage information HP authorized resellers How to contact HP technical supportContacting HP Information to collect before contacting HP Related information HP-UX Directory Server documentation setSupport and other resources This document uses the following typographical conventions Troubleshooting resourcesTypographic conventions HP-UX documentation set TIP Utilities for exporting databases db2ldif Finding and executing the ns-slapd command-line utilitiesExports the contents of the database to Ldif Overview of ns-slapd Table A-2 ldif2db options Utilities for restoring and backing up databases ldif2dbTable A-1 db2ldif options Imports Ldif files to the database Utilities for restoring and backing up databases archive2db Utilities for restoring and backing up databases db2archiveUtilities for creating and regenerating indexes db2index Table A-5 db2index options 247 Glossary Glossary Bind rule 249 CoS definition GSS-API 251 Ldap NIS 253 Proxy Sasl 255 Superuser 256 Symbols Statistics for monitoring and optimizing directory257 Read-only monitoring configuration entries Suffix and replication configuration entries 259 Index 261 Database link plug-in configuration attributes Distributed numeric assignment plug-in configuration 263 Ldap NsDS5ReplicaChangesSentSinceStartup attribute 265 Page 267 Index 269 Index 271