CA Directory: userPassword is inconsistent across copies of CA ldap

Document ID : KB000102289
Last Modified Date : 18/06/2018
Show Technical Document Details
Question:
Why do I see different hash value for userPassword attribute for the same user across MW replicated DSAs?
Answer:
What you are seeing is by design when a password gets hashed due to use of slat algorithm. 

In other words, apart from our obfuscation algorithm (-P CADIR which uses a fixed key), our passwords use one-way hashing algorithms rather than encryption. Salted variants of these algorithms use a random salt to ensure the outcome of the hash is unique to protect against pre-computational hash attacks (like rainbow table attacks). This is the reason why you see different hash value for the same password while the actual password value itself (when you think of it as clear text value) remains the same.