From 3603e5465ee35cae3dadd176bf1391d9ee5164d4 Mon Sep 17 00:00:00 2001
From: Simon Pichugin <spichugi@redhat.com>
Date: Tue, 3 Dec 2024 18:26:38 -0800
Subject: [PATCH 1/2] Issue 6269 - RFE - Add nsslapd-pwdPBKDF2Rounds
 configuration to PBKDF2-* plugins

Description: Add nsslapd-pwdPBKDF2Rounds attribute that can be configured in
PBKDF2-* password storage plugin entries. This was password hashing round value can be adjusted.
Certain compliance requirements (like from BSI) require specific hashing round values greater than what we currently provide.
Add CLI, Web UI option, and CI tests.

Fixes: https://github.com/389ds/389-ds-base/issues/6269

Reviewed by: ?
---
 .../suites/openldap_2_389/migrate_hdb_test.py |   1 -
 .../openldap_2_389/migrate_memberof_test.py   |   1 -
 .../openldap_2_389/migrate_monitor_test.py    |   1 -
 .../suites/openldap_2_389/migrate_test.py     |   1 -
 .../password/pbkdf2_upgrade_plugin_test.py    |   8 +-
 .../tests/suites/pwp_storage/storage_test.py  | 301 ++++++++++++-
 ldap/ldif/template-dse-minimal.ldif.in        |   4 +
 ldap/ldif/template-dse.ldif.in                |   4 +
 ldap/schema/01core389.ldif                    |   2 +
 ldap/servers/slapd/config.c                   |   1 +
 ldap/servers/slapd/fedse.c                    |   3 +
 .../src/lib/database/globalPwp.jsx            | 190 +++++++-
 .../389-console/src/lib/server/settings.jsx   |   2 +
 src/lib389/lib389/cli_conf/plugin.py          |   2 +
 .../lib389/cli_conf/plugins/pwstorage.py      |  78 ++++
 src/lib389/lib389/password_plugins.py         |  74 +++-
 src/plugins/pwdchan/src/lib.rs                | 409 +++++++++++++++---
 src/plugins/pwdchan/src/pbkdf2.rs             |  44 --
 src/plugins/pwdchan/src/pbkdf2_sha1.rs        |  44 --
 src/plugins/pwdchan/src/pbkdf2_sha256.rs      |  43 --
 src/plugins/pwdchan/src/pbkdf2_sha512.rs      |  43 --
 src/slapi_r_plugin/src/error.rs               |   2 +
 src/slapi_r_plugin/src/pblock.rs              |   4 +-
 23 files changed, 1004 insertions(+), 258 deletions(-)
 create mode 100644 src/lib389/lib389/cli_conf/plugins/pwstorage.py
 delete mode 100644 src/plugins/pwdchan/src/pbkdf2.rs
 delete mode 100644 src/plugins/pwdchan/src/pbkdf2_sha1.rs
 delete mode 100644 src/plugins/pwdchan/src/pbkdf2_sha256.rs
 delete mode 100644 src/plugins/pwdchan/src/pbkdf2_sha512.rs

diff --git a/dirsrvtests/tests/suites/openldap_2_389/migrate_hdb_test.py b/dirsrvtests/tests/suites/openldap_2_389/migrate_hdb_test.py
index 95597898e6..da67ed244c 100644
--- a/dirsrvtests/tests/suites/openldap_2_389/migrate_hdb_test.py
+++ b/dirsrvtests/tests/suites/openldap_2_389/migrate_hdb_test.py
@@ -9,7 +9,6 @@
 import pytest
 import os
 from lib389.topologies import topology_st
-from lib389.password_plugins import PBKDF2Plugin
 from lib389.utils import ds_is_older
 from lib389.migrate.openldap.config import olConfig
 from lib389.migrate.openldap.config import olOverlayType
diff --git a/dirsrvtests/tests/suites/openldap_2_389/migrate_memberof_test.py b/dirsrvtests/tests/suites/openldap_2_389/migrate_memberof_test.py
index 4092bb36df..e5f749c01a 100644
--- a/dirsrvtests/tests/suites/openldap_2_389/migrate_memberof_test.py
+++ b/dirsrvtests/tests/suites/openldap_2_389/migrate_memberof_test.py
@@ -9,7 +9,6 @@
 import pytest
 import os
 from lib389.topologies import topology_st
-from lib389.password_plugins import PBKDF2Plugin
 from lib389.utils import ds_is_older
 from lib389.migrate.openldap.config import olConfig
 from lib389.migrate.openldap.config import olOverlayType
diff --git a/dirsrvtests/tests/suites/openldap_2_389/migrate_monitor_test.py b/dirsrvtests/tests/suites/openldap_2_389/migrate_monitor_test.py
index bf056f0e05..6935900a55 100644
--- a/dirsrvtests/tests/suites/openldap_2_389/migrate_monitor_test.py
+++ b/dirsrvtests/tests/suites/openldap_2_389/migrate_monitor_test.py
@@ -9,7 +9,6 @@
 import pytest
 import os
 from lib389.topologies import topology_st
-from lib389.password_plugins import PBKDF2Plugin
 from lib389.utils import ds_is_older
 from lib389.migrate.openldap.config import olConfig
 from lib389.migrate.openldap.config import olOverlayType
diff --git a/dirsrvtests/tests/suites/openldap_2_389/migrate_test.py b/dirsrvtests/tests/suites/openldap_2_389/migrate_test.py
index 492c94fc8f..fa41a9daf3 100644
--- a/dirsrvtests/tests/suites/openldap_2_389/migrate_test.py
+++ b/dirsrvtests/tests/suites/openldap_2_389/migrate_test.py
@@ -9,7 +9,6 @@
 import pytest
 import os
 from lib389.topologies import topology_st
-from lib389.password_plugins import PBKDF2Plugin
 from lib389.utils import ds_is_older
 from lib389.migrate.openldap.config import olConfig
 from lib389.migrate.openldap.config import olOverlayType
diff --git a/dirsrvtests/tests/suites/password/pbkdf2_upgrade_plugin_test.py b/dirsrvtests/tests/suites/password/pbkdf2_upgrade_plugin_test.py
index 90dae36ec7..65c9bed939 100644
--- a/dirsrvtests/tests/suites/password/pbkdf2_upgrade_plugin_test.py
+++ b/dirsrvtests/tests/suites/password/pbkdf2_upgrade_plugin_test.py
@@ -8,7 +8,7 @@
 #
 import pytest
 from lib389.topologies import topology_st
-from lib389.password_plugins import PBKDF2Plugin
+from lib389.password_plugins import PBKDF2SHA512Plugin
 from lib389.utils import ds_is_older
 
 pytestmark = pytest.mark.tier1
@@ -35,18 +35,18 @@ def test_pbkdf2_upgrade(topology_st):
 
     """
     # Remove the pbkdf2 plugin config
-    p1 = PBKDF2Plugin(topology_st.standalone)
+    p1 = PBKDF2SHA512Plugin(topology_st.standalone)
     assert(p1.exists())
     p1._protected = False
     p1.delete()
     # Restart
     topology_st.standalone.restart()
     # check it's been readded.
-    p2 = PBKDF2Plugin(topology_st.standalone)
+    p2 = PBKDF2SHA512Plugin(topology_st.standalone)
     assert(p2.exists())
     # Now restart to make sure we still work from the non-bootstrap form
     topology_st.standalone.restart()
-    p3 = PBKDF2Plugin(topology_st.standalone)
+    p3 = PBKDF2SHA512Plugin(topology_st.standalone)
     assert(p3.exists())
 
 
diff --git a/dirsrvtests/tests/suites/pwp_storage/storage_test.py b/dirsrvtests/tests/suites/pwp_storage/storage_test.py
index ed0dd9e533..db254cdc73 100644
--- a/dirsrvtests/tests/suites/pwp_storage/storage_test.py
+++ b/dirsrvtests/tests/suites/pwp_storage/storage_test.py
@@ -18,13 +18,54 @@
 
 from lib389.topologies import topology_st as topo
 from lib389.idm.user import UserAccounts, UserAccount
-from lib389._constants import DEFAULT_SUFFIX
+from lib389._constants import DEFAULT_SUFFIX, DN_DM, PASSWORD, ErrorLog
 from lib389.config import Config
-from lib389.password_plugins import PBKDF2Plugin, SSHA512Plugin
+from lib389.password_plugins import (
+    SSHA512Plugin,
+    PBKDF2SHA1Plugin,
+    PBKDF2SHA256Plugin,
+    PBKDF2SHA512Plugin
+)
 from lib389.utils import ds_is_older
 
 pytestmark = pytest.mark.tier1
 
+PBKDF2_SCHEMES = [
+    ('PBKDF2-SHA1', PBKDF2SHA1Plugin, 70000),
+    ('PBKDF2-SHA256', PBKDF2SHA256Plugin, 30000),
+    ('PBKDF2-SHA512', PBKDF2SHA512Plugin, 10000),
+]
+
+
+@pytest.fixture(scope="function")
+def new_user(request, topo):
+    """Fixture to create and clean up a test user for each test"""
+    # Generate unique user ID based on test name
+    uid = f'new_user_{request.node.name[:20]}'
+    
+    # Create user
+    users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
+    user = users.create(properties={
+        'uid': uid,
+        'cn': 'Test User',
+        'sn': 'User',
+        'uidNumber': '1000',
+        'gidNumber': '2000',
+        'homeDirectory': f'/home/{uid}'
+    })
+    
+    def fin():
+        try:
+            # Ensure we're bound as DM before cleanup
+            topo.standalone.simple_bind_s(DN_DM, PASSWORD)
+            if user.exists():
+                user.delete()
+        except Exception as e:
+            log.error(f"Error during user cleanup: {e}")
+    
+    request.addfinalizer(fin)
+    return user
+
 
 def user_config(topo, field_value):
     """
@@ -62,6 +103,248 @@ def test_check_password_scheme(topo, value):
     user.delete()
 
 
+@pytest.mark.parametrize('scheme_name,plugin_class,default_rounds', PBKDF2_SCHEMES)
+def test_pbkdf2_default_rounds(topo, new_user, scheme_name, plugin_class, default_rounds):
+    """Test PBKDF2 schemes with default iteration rounds.
+
+    :id: bd58cd76-14f9-4d54-9793-ee7bba8e5369
+    :parametrized: yes
+    :setup: Standalone
+    :steps:
+        1. Remove any existing rounds configuration
+        2. Verify default rounds are used
+        3. Set password and verify hash format
+        4. Test authentication
+    :expectedresults:
+        1. Pass
+        2. Pass
+        3. Pass
+        4. Pass
+    """
+    try:
+        # Flush logs
+        topo.standalone.restart()
+        topo.standalone.config.loglevel((ErrorLog.DEFAULT, ErrorLog.PLUGIN))
+        topo.standalone.deleteErrorLogs()
+        
+        plugin = plugin_class(topo.standalone)
+        plugin.remove_all('nsslapd-pwdpbkdf2numiterations')
+        topo.standalone.restart()
+        
+        topo.standalone.config.replace('passwordStorageScheme', scheme_name)
+        
+        current_rounds = plugin.get_rounds()
+        assert current_rounds == default_rounds, \
+            f"Expected default {default_rounds} rounds, got {current_rounds}"
+        
+        new_user.set('userPassword', 'Secret123')
+        pwd_hash = new_user.get_attr_val_utf8('userPassword')
+        assert pwd_hash.startswith('{' + scheme_name.upper() + '}')
+        assert str(default_rounds) in pwd_hash
+        
+        topo.standalone.simple_bind_s(new_user.dn, 'Secret123')
+        
+        assert topo.standalone.searchErrorsLog(
+            f'Number of iterations for {scheme_name} password scheme set to {default_rounds} from default'
+        )
+    finally:
+        topo.standalone.simple_bind_s(DN_DM, PASSWORD)
+
+
+@pytest.mark.parametrize('scheme_name,plugin_class,default_rounds', PBKDF2_SCHEMES)
+def test_pbkdf2_rounds_reset(topo, new_user, scheme_name, plugin_class, default_rounds):
+    """Test PBKDF2 schemes rounds reset to defaults.
+
+    :id: 59bf95c5-6a07-4db1-81eb-d59b54436826
+    :parametrized: yes
+    :setup: Standalone
+    :steps:
+        1. Set custom rounds for PBKDF2 plugin
+        2. Verify custom rounds are used
+        3. Remove rounds configuration
+        4. Verify defaults are restored
+        5. Test password operations with default rounds
+    :expectedresults:
+        1. Pass
+        2. Pass
+        3. Pass
+        4. Pass
+        5. Pass
+    """
+    try:
+        # Flush logs
+        topo.standalone.restart()
+        topo.standalone.config.loglevel((ErrorLog.DEFAULT, ErrorLog.PLUGIN))
+        topo.standalone.deleteErrorLogs()
+        
+        test_rounds = 25000
+        plugin = plugin_class(topo.standalone)
+        plugin.set_rounds(test_rounds)
+        topo.standalone.restart()
+        
+        current_rounds = plugin.get_rounds()
+        assert current_rounds == test_rounds, \
+            f"Expected {test_rounds} rounds, got {current_rounds}"
+        
+        plugin.remove_all('nsslapd-pwdpbkdf2numiterations')
+        topo.standalone.restart()
+        
+        current_rounds = plugin.get_rounds()
+        assert current_rounds == default_rounds, \
+            f"Expected default {default_rounds} rounds after reset, got {current_rounds}"
+        
+        topo.standalone.config.replace('passwordStorageScheme', scheme_name)
+        
+        new_user.set('userPassword', 'Secret123')
+        pwd_hash = new_user.get_attr_val_utf8('userPassword')
+        assert pwd_hash.startswith('{' + scheme_name.upper() + '}')
+        assert str(default_rounds) in pwd_hash
+        
+        topo.standalone.simple_bind_s(new_user.dn, 'Secret123')
+        
+        assert topo.standalone.searchErrorsLog(
+            f'Number of iterations for {scheme_name} password scheme set to {default_rounds} from default'
+        )
+    finally:
+        topo.standalone.simple_bind_s(DN_DM, PASSWORD)
+
+
+@pytest.mark.parametrize('scheme_name,plugin_class,_', PBKDF2_SCHEMES)
+@pytest.mark.parametrize('rounds', [10000, 20000, 50000])
+def test_pbkdf2_custom_rounds(topo, new_user, scheme_name, plugin_class, _, rounds):
+    """Test PBKDF2 schemes with custom iteration rounds.
+
+    :id: 6bec6542-ed8d-4a0e-89d6-e047757767c2
+    :parametrized: yes
+    :setup: Standalone
+    :steps:
+        1. Set custom rounds for PBKDF2 plugin
+        2. Verify rounds are set correctly
+        3. Set password and verify hash format
+        4. Test authentication
+        5. Verify rounds in password hash
+    :expectedresults:
+        1. Pass
+        2. Pass
+        3. Pass
+        4. Pass
+        5. Pass
+    """
+    try:
+        # Flush logs
+        topo.standalone.restart()
+        topo.standalone.config.loglevel((ErrorLog.DEFAULT, ErrorLog.PLUGIN))
+        topo.standalone.deleteErrorLogs()
+
+        plugin = plugin_class(topo.standalone)
+        plugin.set_rounds(rounds)
+        topo.standalone.restart()
+        
+        current_rounds = plugin.get_rounds()
+        assert current_rounds == rounds, \
+            f"Expected {rounds} rounds, got {current_rounds}"
+        
+        topo.standalone.config.replace('passwordStorageScheme', scheme_name)
+        
+        new_user.set('userPassword', 'Secret123')
+        pwd_hash = new_user.get_attr_val_utf8('userPassword')
+        assert pwd_hash.startswith('{' + scheme_name.upper() + '}')
+        assert str(rounds) in pwd_hash
+        
+        topo.standalone.simple_bind_s(new_user.dn, 'Secret123')
+        
+        assert topo.standalone.searchErrorsLog(
+            f'Number of iterations for {scheme_name}'
+        )
+    finally:
+        topo.standalone.simple_bind_s(DN_DM, PASSWORD)
+
+
+@pytest.mark.parametrize('scheme_name,plugin_class,_', PBKDF2_SCHEMES)
+def test_pbkdf2_invalid_rounds(topo, scheme_name, plugin_class, _):
+    """Test PBKDF2 schemes with invalid iteration rounds.
+
+    :id: 4e5b4f37-c97b-4f58-b5c5-726495d9fa4e
+    :parametrized: yes
+    :setup: Standalone
+    :steps:
+        1. Try to set invalid rounds (too low and too high)
+        2. Verify appropriate errors are raised
+        3. Verify original rounds are maintained
+    :expectedresults:
+        1. Pass
+        2. Pass
+        3. Pass
+    """
+    # Flush logs
+    topo.standalone.restart()
+    topo.standalone.config.loglevel((ErrorLog.DEFAULT, ErrorLog.PLUGIN))
+    topo.standalone.deleteErrorLogs()
+
+    plugin = plugin_class(topo.standalone)
+    plugin.enable()
+    
+    original_rounds = plugin.get_rounds()
+    
+    with pytest.raises(ValueError) as excinfo:
+        plugin.set_rounds(5000)
+    assert "rounds must be between 10,000 and 10,000,000" in str(excinfo.value)
+    
+    with pytest.raises(ValueError) as excinfo:
+        plugin.set_rounds(20000000)
+    assert "rounds must be between 10,000 and 10,000,000" in str(excinfo.value)
+    
+    current_rounds = plugin.get_rounds()
+    assert current_rounds == original_rounds, \
+        f"Rounds changed from {original_rounds} to {current_rounds}"
+
+
+@pytest.mark.parametrize('scheme_name,plugin_class,_', PBKDF2_SCHEMES)
+def test_pbkdf2_rounds_persistence(topo, new_user, scheme_name, plugin_class, _):
+    """Test PBKDF2 rounds persistence across server restarts.
+
+    :id: b15de1ae-53ac-429f-991b-cea5e6a7b383
+    :parametrized: yes
+    :setup: Standalone
+    :steps:
+        1. Set custom rounds for PBKDF2 plugin
+        2. Restart server
+        3. Verify rounds are maintained
+        4. Set password and verify hash
+        5. Test authentication
+    :expectedresults:
+        1. Pass
+        2. Pass
+        3. Pass
+        4. Pass
+        5. Pass
+    """
+    try:
+        # Flush logs
+        topo.standalone.restart()
+        topo.standalone.config.loglevel((ErrorLog.DEFAULT, ErrorLog.PLUGIN))
+        topo.standalone.deleteErrorLogs()
+
+        test_rounds = 15000
+        plugin = plugin_class(topo.standalone)
+        plugin.set_rounds(test_rounds)
+        topo.standalone.restart()
+        
+        current_rounds = plugin.get_rounds()
+        assert current_rounds == test_rounds, \
+            f"Expected {test_rounds} rounds after restart, got {current_rounds}"
+        
+        topo.standalone.config.replace('passwordStorageScheme', scheme_name)
+        
+        new_user.set('userPassword', 'Secret123')
+        pwd_hash = new_user.get_attr_val_utf8('userPassword')
+        assert str(test_rounds) in pwd_hash
+        
+        topo.standalone.simple_bind_s(new_user.dn, 'Secret123')
+    finally:
+        topo.standalone.simple_bind_s(DN_DM, PASSWORD)
+
+
 def test_clear_scheme(topo):
     """Check clear password scheme.
 
@@ -106,27 +389,27 @@ def test_check_two_scheme(topo):
     user.delete()
 
 @pytest.mark.skipif(ds_is_older('1.4'), reason="Not implemented")
-def test_check_pbkdf2_sha256(topo):
-    """Check password scheme PBKDF2_SHA256.
+def test_check_pbkdf2_sha512(topo):
+    """Check password scheme PBKDF2-SHA512.
 
     :id: 31612e7e-33a6-11ea-a750-8c16451d917b
     :setup: Standalone
     :steps:
-        1. Try to delete PBKDF2_SHA256.
-        2. Should not deleted PBKDF2_SHA256 and server should up.
+        1. Try to delete PBKDF2-SHA512.
+        2. Should not deleted PBKDF2-SHA512 and server should up.
     :expectedresults:
         1. Pass
         2. Pass
     """
-    value = 'PBKDF2_SHA256'
+    value = 'PBKDF2-SHA512'
     user = user_config(topo, value)
     assert '{' + f'{value.lower()}' + '}' in \
            UserAccount(topo.standalone, user.dn).get_attr_val_utf8('userpassword').lower()
-    plg = PBKDF2Plugin(topo.standalone)
+    plg = PBKDF2SHA512Plugin(topo.standalone)
     plg._protected = False
     plg.delete()
     topo.standalone.restart()
-    assert Config(topo.standalone).get_attr_val_utf8('passwordStorageScheme') == 'PBKDF2_SHA256'
+    assert Config(topo.standalone).get_attr_val_utf8('passwordStorageScheme') == 'PBKDF2-SHA512'
     assert topo.standalone.status()
     user.delete()
 
diff --git a/ldap/ldif/template-dse-minimal.ldif.in b/ldap/ldif/template-dse-minimal.ldif.in
index d2b02f8be9..264cc51e06 100644
--- a/ldap/ldif/template-dse-minimal.ldif.in
+++ b/ldap/ldif/template-dse-minimal.ldif.in
@@ -195,6 +195,7 @@ nsslapd-pluginenabled: on
 dn: cn=PBKDF2,cn=Password Storage Schemes,cn=plugins,cn=config
 objectclass: top
 objectclass: nsSlapdPlugin
+objectClass: pwdPBKDF2PluginConfig
 cn: PBKDF2
 nsslapd-pluginpath: libpwdchan-plugin
 nsslapd-plugininitfunc: pwdchan_pbkdf2_plugin_init
@@ -208,6 +209,7 @@ nsslapd-pluginDescription: PBKDF2
 dn: cn=PBKDF2-SHA1,cn=Password Storage Schemes,cn=plugins,cn=config
 objectclass: top
 objectclass: nsSlapdPlugin
+objectClass: pwdPBKDF2PluginConfig
 cn: PBKDF2-SHA1
 nsslapd-pluginpath: libpwdchan-plugin
 nsslapd-plugininitfunc: pwdchan_pbkdf2_sha1_plugin_init
@@ -221,6 +223,7 @@ nsslapd-pluginDescription: PBKDF2-SHA1\
 dn: cn=PBKDF2-SHA256,cn=Password Storage Schemes,cn=plugins,cn=config
 objectclass: top
 objectclass: nsSlapdPlugin
+objectClass: pwdPBKDF2PluginConfig
 cn: PBKDF2-SHA256
 nsslapd-pluginpath: libpwdchan-plugin
 nsslapd-plugininitfunc: pwdchan_pbkdf2_sha256_plugin_init
@@ -234,6 +237,7 @@ nsslapd-pluginDescription: PBKDF2-SHA256\
 dn: cn=PBKDF2-SHA512,cn=Password Storage Schemes,cn=plugins,cn=config
 objectclass: top
 objectclass: nsSlapdPlugin
+objectClass: pwdPBKDF2PluginConfig
 cn: PBKDF2-SHA512
 nsslapd-pluginpath: libpwdchan-plugin
 nsslapd-plugininitfunc: pwdchan_pbkdf2_sha512_plugin_init
diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in
index ce44d75cd1..ccb736eb86 100644
--- a/ldap/ldif/template-dse.ldif.in
+++ b/ldap/ldif/template-dse.ldif.in
@@ -252,6 +252,7 @@ nsslapd-pluginenabled: on
 dn: cn=PBKDF2,cn=Password Storage Schemes,cn=plugins,cn=config
 objectclass: top
 objectclass: nsSlapdPlugin
+objectClass: pwdPBKDF2PluginConfig
 cn: PBKDF2
 nsslapd-pluginpath: libpwdchan-plugin
 nsslapd-plugininitfunc: pwdchan_pbkdf2_plugin_init
@@ -265,6 +266,7 @@ nsslapd-pluginDescription: PBKDF2
 dn: cn=PBKDF2-SHA1,cn=Password Storage Schemes,cn=plugins,cn=config
 objectclass: top
 objectclass: nsSlapdPlugin
+objectClass: pwdPBKDF2PluginConfig
 cn: PBKDF2-SHA1
 nsslapd-pluginpath: libpwdchan-plugin
 nsslapd-plugininitfunc: pwdchan_pbkdf2_sha1_plugin_init
@@ -278,6 +280,7 @@ nsslapd-pluginDescription: PBKDF2-SHA1\
 dn: cn=PBKDF2-SHA256,cn=Password Storage Schemes,cn=plugins,cn=config
 objectclass: top
 objectclass: nsSlapdPlugin
+objectClass: pwdPBKDF2PluginConfig
 cn: PBKDF2-SHA256
 nsslapd-pluginpath: libpwdchan-plugin
 nsslapd-plugininitfunc: pwdchan_pbkdf2_sha256_plugin_init
@@ -291,6 +294,7 @@ nsslapd-pluginDescription: PBKDF2-SHA256\
 dn: cn=PBKDF2-SHA512,cn=Password Storage Schemes,cn=plugins,cn=config
 objectclass: top
 objectclass: nsSlapdPlugin
+objectClass: pwdPBKDF2PluginConfig
 cn: PBKDF2-SHA512
 nsslapd-pluginpath: libpwdchan-plugin
 nsslapd-plugininitfunc: pwdchan_pbkdf2_sha512_plugin_init
diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif
index c98e5b34b3..bfe8259f82 100644
--- a/ldap/schema/01core389.ldif
+++ b/ldap/schema/01core389.ldif
@@ -332,6 +332,7 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2391 NAME 'dsEntryDN' DESC '389 Director
 attributeTypes: ( 2.16.840.1.113730.3.1.2392 NAME 'nsslapd-return-original-entrydn' DESC '389 Directory Server defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN '389 Directory Server' )
 attributeTypes: ( 2.16.840.1.113730.3.1.2393 NAME 'nsslapd-auditlog-display-attrs' DESC '389 Directory Server defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN '389 Directory Server' )
 attributeTypes: ( 2.16.840.1.113730.3.1.2398 NAME 'nsslapd-haproxy-trusted-ip' DESC '389 Directory Server defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN '389 Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2400 NAME 'nsslapd-pwdPBKDF2NumIterations' DESC '389 Directory Server defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Directory Server' )
 #
 # objectclasses
 #
@@ -353,3 +354,4 @@ objectClasses: ( 2.16.840.1.113730.3.2.327 NAME 'rootDNPluginConfig' DESC 'Netsc
 objectClasses: ( 2.16.840.1.113730.3.2.328 NAME 'nsSchemaPolicy' DESC 'Netscape defined objectclass' SUP top  MAY ( cn $ schemaUpdateObjectclassAccept $ schemaUpdateObjectclassReject $ schemaUpdateAttributeAccept $ schemaUpdateAttributeReject) X-ORIGIN 'Netscape Directory Server' )
 objectClasses: ( 2.16.840.1.113730.3.2.332 NAME 'nsChangelogConfig' DESC 'Configuration of the changelog5 object' SUP top MUST ( cn $ nsslapd-changelogdir ) MAY ( nsslapd-changelogmaxage $ nsslapd-changelogtrim-interval $ nsslapd-changelogmaxentries $ nsslapd-changelogsuffix $ nsslapd-changelogcompactdb-interval $ nsslapd-encryptionalgorithm $ nsSymmetricKey ) X-ORIGIN '389 Directory Server' )
 objectClasses: ( 2.16.840.1.113730.3.2.337 NAME 'rewriterEntry' DESC '' SUP top MUST ( nsslapd-libPath ) MAY ( cn $ nsslapd-filterrewriter $ nsslapd-returnedAttrRewriter ) X-ORIGIN '389 Directory Server' )
+objectClasses: ( 2.16.840.1.113730.3.2.340 NAME 'pwdPBKDF2PluginConfig' DESC 'PBKDF2 Password Storage Plugin configuration' SUP top MAY ( nsslapd-pwdPBKDF2NumIterations ) X-ORIGIN '389 Directory Server' )
diff --git a/ldap/servers/slapd/config.c b/ldap/servers/slapd/config.c
index eb8c9a4fee..3db7b7840c 100644
--- a/ldap/servers/slapd/config.c
+++ b/ldap/servers/slapd/config.c
@@ -43,6 +43,7 @@ static char *bootstrap_plugins[] = {
     "dn: cn=PBKDF2-SHA512,cn=Password Storage Schemes,cn=plugins,cn=config\n"
     "objectclass: top\n"
     "objectclass: nsSlapdPlugin\n"
+    "objectClass: pwdPBKDF2PluginConfig\n"
     "cn: PBKDF2-SHA512\n"
     "nsslapd-pluginpath: libpwdchan-plugin\n"
     "nsslapd-plugininitfunc: pwdchan_pbkdf2_sha512_plugin_init\n"
diff --git a/ldap/servers/slapd/fedse.c b/ldap/servers/slapd/fedse.c
index 74f7e6cf99..85bcf063c8 100644
--- a/ldap/servers/slapd/fedse.c
+++ b/ldap/servers/slapd/fedse.c
@@ -231,6 +231,7 @@ static const char *internal_entries[] =
         "dn: cn=PBKDF2,cn=Password Storage Schemes,cn=plugins,cn=config\n"
         "objectclass: top\n"
         "objectclass: nsSlapdPlugin\n"
+        "objectClass: pwdPBKDF2PluginConfig\n"
         "cn: PBKDF2\n"
         "nsslapd-pluginpath: libpwdchan-plugin\n"
         "nsslapd-plugininitfunc: pwdchan_pbkdf2_plugin_init\n"
@@ -244,6 +245,7 @@ static const char *internal_entries[] =
         "dn: cn=PBKDF2-SHA1,cn=Password Storage Schemes,cn=plugins,cn=config\n"
         "objectclass: top\n"
         "objectclass: nsSlapdPlugin\n"
+        "objectClass: pwdPBKDF2PluginConfig\n"
         "cn: PBKDF2-SHA1\n"
         "nsslapd-pluginpath: libpwdchan-plugin\n"
         "nsslapd-plugininitfunc: pwdchan_pbkdf2_sha1_plugin_init\n"
@@ -257,6 +259,7 @@ static const char *internal_entries[] =
         "dn: cn=PBKDF2-SHA256,cn=Password Storage Schemes,cn=plugins,cn=config\n"
         "objectclass: top\n"
         "objectclass: nsSlapdPlugin\n"
+        "objectClass: pwdPBKDF2PluginConfig\n"
         "cn: PBKDF2-SHA256\n"
         "nsslapd-pluginpath: libpwdchan-plugin\n"
         "nsslapd-plugininitfunc: pwdchan_pbkdf2_sha256_plugin_init\n"
diff --git a/src/cockpit/389-console/src/lib/database/globalPwp.jsx b/src/cockpit/389-console/src/lib/database/globalPwp.jsx
index a757361ec3..8681584677 100644
--- a/src/cockpit/389-console/src/lib/database/globalPwp.jsx
+++ b/src/cockpit/389-console/src/lib/database/globalPwp.jsx
@@ -89,6 +89,16 @@ const tpr_attrs = [
     "passwordtprdelayvalidfrom",
 ];
 
+const password_storage_attrs = [
+    "nsslapd-pwdpbkdf2numiterations"
+];
+
+const PBKDF2_SCHEMES = ['pbkdf2', 'pbkdf2-sha1', 'pbkdf2-sha256', 'pbkdf2-sha512'];
+
+const isPBKDF2Scheme = (scheme) => {
+    return PBKDF2_SCHEMES.includes(scheme.toLowerCase());
+};
+
 export class GlobalPwPolicy extends React.Component {
     constructor(props) {
         super(props);
@@ -102,6 +112,7 @@ export class GlobalPwPolicy extends React.Component {
             // each field, so we can loop over them to efficently
             // check for changes, and updating/saving the config.
             saveGeneralDisabled: true,
+            savePasswordStorageDisabled: true,
             saveExpDisabled: true,
             saveLockoutDisabled: true,
             saveSyntaxDisabled: true,
@@ -118,6 +129,8 @@ export class GlobalPwPolicy extends React.Component {
 
         this.handleGeneralChange = this.handleGeneralChange.bind(this);
         this.handleSaveGeneral = this.handleSaveGeneral.bind(this);
+        this.handlePasswordStorageChange = this.handlePasswordStorageChange.bind(this);
+        this.handleSavePasswordStorage = this.handleSavePasswordStorage.bind(this);
         this.handleExpChange = this.handleExpChange.bind(this);
         this.handleSaveExp = this.handleSaveExp.bind(this);
         this.handleLockoutChange = this.handleLockoutChange.bind(this);
@@ -127,6 +140,7 @@ export class GlobalPwPolicy extends React.Component {
         this.handleTPRChange = this.handleTPRChange.bind(this);
         this.handleSaveTPR = this.handleSaveTPR.bind(this);
         this.handleLoadGlobal = this.handleLoadGlobal.bind(this);
+        this.handleLoadPasswordStorage = this.handleLoadPasswordStorage.bind(this);
         // Select Typeahead
         this.handleSelectToggle = this.handleSelectToggle.bind(this);
         this.handleSelectClear = this.handleSelectClear.bind(this);
@@ -145,6 +159,68 @@ export class GlobalPwPolicy extends React.Component {
         this.setState({ activeKey: key });
     }
 
+    handlePasswordStorageChange(e) {
+        const value = e.target.type === 'checkbox' ? e.target.checked : e.target.value;
+        const attr = e.target.id.toLowerCase();
+        let disableSaveBtn = true;
+
+        for (const password_storage_attr of password_storage_attrs) {
+            const storageAttr = password_storage_attr.toLowerCase();
+            const oldValue = String(this.state['_' + storageAttr] || '');
+            const newValue = String(value || '');
+
+            if (attr === storageAttr && oldValue !== newValue) {
+                disableSaveBtn = false;
+                break;
+            }
+        }
+
+        this.setState({
+            [attr]: value || '',
+            savePasswordStorageDisabled: disableSaveBtn,
+        });
+    }
+
+    handleSavePasswordStorage() {
+        if (!isPBKDF2Scheme(this.state.passwordstoragescheme)) {
+            return;
+        }
+        this.setState({
+            saving: true
+        });
+
+        const cmd = [
+            'dsconf', '-j', "ldapi://%2fvar%2frun%2fslapd-" + this.props.serverId + ".socket",
+            'plugin', 'pwstorage-scheme', this.state.passwordstoragescheme.toLowerCase(),
+            'set-num-iterations', this.state[password_storage_attrs[0]]
+        ];
+
+        log_cmd("handleSavePasswordStorage", "Saving password storage settings", cmd);
+        cockpit
+            .spawn(cmd, { superuser: true, err: "message" })
+            .done(content => {
+                this.handleLoadGlobal();
+                this.setState({
+                    saving: false
+                });
+                this.props.addNotification(
+                    "success",
+                    _("Successfully updated number of iterations for password storage scheme")
+                );
+            })
+            .fail(err => {
+                const errMsg = JSON.parse(err);
+                this.handleLoadGlobal();
+                this.setState({
+                    saving: false
+                });
+                this.props.addNotification(
+                    "error",
+                    cockpit.format(_("Error updating number of iterations for password storage scheme - $0"), errMsg.desc)
+                );
+            });
+    }
+
     handleGeneralChange(e) {
         const value = e.target.type === 'checkbox' ? e.target.checked : e.target.value;
         const attr = e.target.id;
@@ -166,9 +242,18 @@ export class GlobalPwPolicy extends React.Component {
             }
         }
 
-        this.setState({
+        // Create state update object
+        const stateUpdate = {
             [attr]: value,
             saveGeneralDisabled: disableSaveBtn,
+        };
+
+        this.setState(stateUpdate, () => {
+            // If passwordstoragescheme was changed and it's a PBKDF2 scheme,
+            // load the iterations value
+            if (attr === 'passwordstoragescheme' && isPBKDF2Scheme(value)) {
+                this.handleLoadPasswordStorage(true);
+            }
         });
     }
 
@@ -176,6 +261,15 @@ export class GlobalPwPolicy extends React.Component {
         this.setState({
             saving: true
         });
+        if (!this.state.savePasswordStorageDisabled) {
+            this.handleSavePasswordStorage();
+        }
+        if (this.state.saveGeneralDisabled) {
+            this.setState({
+                saving: false
+            });
+            return;
+        }
 
         const cmd = [
             'dsconf', '-j', "ldapi://%2fvar%2frun%2fslapd-" + this.props.serverId + ".socket",
@@ -594,10 +688,74 @@ export class GlobalPwPolicy extends React.Component {
                 });
     }
 
+    handleLoadPasswordStorage(skipLoading = false) {
+        if (!skipLoading) {
+            this.setState({
+                loading: true
+            });
+        }
+
+        if (!isPBKDF2Scheme(this.state.passwordstoragescheme)) {
+            this.setState({
+                loading: false,
+                'nsslapd-pwdpbkdf2numiterations': '',
+                '_nsslapd-pwdpbkdf2numiterations': ''
+            });
+            return;
+        }
+
+        const cmd = [
+            'dsconf', '-j', "ldapi://%2fvar%2frun%2fslapd-" + this.props.serverId + ".socket",
+            'plugin', 'pwstorage-scheme', this.state.passwordstoragescheme.toLowerCase(),
+            'get-num-iterations'
+        ];
+
+        log_cmd("handleLoadPasswordStorage", "Load password storage settings", cmd);
+        cockpit
+            .spawn(cmd, { superuser: true, err: "message" })
+            .done(content => {
+                const config = JSON.parse(content);
+                const attrs = config.attrs;
+
+                const stateUpdates = {
+                    'nsslapd-pwdpbkdf2numiterations': '',
+                    '_nsslapd-pwdpbkdf2numiterations': ''
+                };
+                
+                if (!skipLoading) {
+                    stateUpdates["loading"] = false
+                }
+                password_storage_attrs.forEach(attr => {
+                    const attrLower = attr.toLowerCase();
+                    const attrValue = attrs[attr] || attrs[attrLower];
+
+                    if (attrValue && attrValue[0]) {
+                        stateUpdates[attrLower] = attrValue[0];
+                        stateUpdates['_' + attrLower] = attrValue[0];
+                    }
+                });
+
+                this.setState(stateUpdates);
+            })
+            .fail(err => {
+                const errMsg = JSON.parse(err);
+                this.setState({
+                    loading: false,
+                    'nsslapd-pwdpbkdf2numiterations': '',
+                    '_nsslapd-pwdpbkdf2numiterations': ''
+                });
+                this.props.addNotification(
+                    "error",
+                    cockpit.format(_("Error loading password storage settings - $0"), errMsg.desc)
+                );
+            });
+    }
+
     handleLoadGlobal() {
         this.setState({
             loading: true
         });
+
         const cmd = [
             "dsconf", "-j", "ldapi://%2fvar%2frun%2fslapd-" + this.props.serverId + ".socket",
             "config", "get"
@@ -700,6 +858,7 @@ export class GlobalPwPolicy extends React.Component {
                             loaded: true,
                             loading: false,
                             saveGeneralDisabled: true,
+                            savePasswordStorageDisabled: true,
                             saveUserDisabled: true,
                             saveExpDisabled: true,
                             saveLockoutDisabled: true,
@@ -795,8 +954,10 @@ export class GlobalPwPolicy extends React.Component {
                             _passwordtprmaxuse: attrs.passwordtprmaxuse[0],
                             _passwordtprdelayexpireat: attrs.passwordtprdelayexpireat[0],
                             _passwordtprdelayvalidfrom: attrs.passwordtprdelayvalidfrom[0],
-                        }), this.props.enableTree()
-                    );
+                        }), () => {
+                            this.props.enableTree();
+                            this.handleLoadPasswordStorage();
+                        });
                 })
                 .fail(err => {
                     const errMsg = JSON.parse(err);
@@ -1385,6 +1546,25 @@ export class GlobalPwPolicy extends React.Component {
                                         </FormSelect>
                                     </GridItem>
                                 </Grid>
+                                {isPBKDF2Scheme(this.state.passwordstoragescheme) && (
+                                    <Grid title={_("Set the number of iterations to the password storage scheme plugin entry (nsslapd-pwdPBKDF2NumIterations).")}>
+                                        <GridItem className="ds-label" span={3}>
+                                            {_("PBKDF2 Iterations")}
+                                        </GridItem>
+                                        <GridItem span={9}>
+                                            <TextInput
+                                                value={this.state[password_storage_attrs[0]] || ''}
+                                                type="number"
+                                                id={password_storage_attrs[0]}
+                                                aria-describedby="horizontal-form-name-helper"
+                                                name={password_storage_attrs[0]}
+                                                onChange={(e, checked) => {
+                                                    this.handlePasswordStorageChange(e);
+                                                }}
+                                            />
+                                        </GridItem>
+                                    </Grid>
+                                )}
                                 <Grid
                                     title={_("Indicates the number of seconds that must pass before a user can change their password again. (passwordMinAge).")}
                                 >
@@ -1439,7 +1619,7 @@ export class GlobalPwPolicy extends React.Component {
                                 </Grid>
                             </Form>
                             <Button
-                                isDisabled={this.state.saveGeneralDisabled || this.state.saving}
+                                isDisabled={this.state.saveGeneralDisabled && this.state.savePasswordStorageDisabled || this.state.saving}
                                 variant="primary"
                                 className="ds-margin-top-xlg ds-margin-left-sm"
                                 onClick={this.handleSaveGeneral}
@@ -1635,7 +1815,7 @@ export class GlobalPwPolicy extends React.Component {
                         <TextContent>
                             <Text component={TextVariants.h3}>
                                 {_("Global Password Policy")}
-                                <Button 
+                                <Button
                                     variant="plain"
                                     aria-label={_("Refresh global password policy settings")}
                                     onClick={this.handleLoadGlobal}
diff --git a/src/cockpit/389-console/src/lib/server/settings.jsx b/src/cockpit/389-console/src/lib/server/settings.jsx
index f6432ecd41..8aba812023 100644
--- a/src/cockpit/389-console/src/lib/server/settings.jsx
+++ b/src/cockpit/389-console/src/lib/server/settings.jsx
@@ -160,6 +160,8 @@ export class ServerSettings extends React.Component {
         };
 
         this.options = [
+            { value: 'PBKDF2-SHA512', label: 'PBKDF2-SHA512', disabled: false },
+            { value: 'PBKDF2-SHA256', label: 'PBKDF2-SHA256', disabled: false },
             { value: 'PBKDF2_SHA256', label: 'PBKDF2_SHA256', disabled: false },
             { value: 'SSHA512', label: 'SSHA512', disabled: false },
             { value: 'SSHA384', label: 'SSHA384', disabled: false },
diff --git a/src/lib389/lib389/cli_conf/plugin.py b/src/lib389/lib389/cli_conf/plugin.py
index 5a35a7740d..04690286c2 100644
--- a/src/lib389/lib389/cli_conf/plugin.py
+++ b/src/lib389/lib389/cli_conf/plugin.py
@@ -31,6 +31,7 @@
 from lib389.cli_conf.plugins import posix_winsync as cli_posix_winsync
 from lib389.cli_conf.plugins import contentsync as cli_contentsync
 from lib389.cli_conf.plugins import entryuuid as cli_entryuuid
+from lib389.cli_conf.plugins import pwstorage as cli_pwstorage
 
 SINGULAR = Plugin
 MANY = Plugins
@@ -120,6 +121,7 @@ def create_parser(subparsers):
     cli_posix_winsync.create_parser(subcommands)
     cli_contentsync.create_parser(subcommands)
     cli_entryuuid.create_parser(subcommands)
+    cli_pwstorage.create_parser(subcommands)
 
     list_parser = subcommands.add_parser('list', help="List current configured (enabled and disabled) plugins", formatter_class=CustomHelpFormatter)
     list_parser.set_defaults(func=plugin_list)
diff --git a/src/lib389/lib389/cli_conf/plugins/pwstorage.py b/src/lib389/lib389/cli_conf/plugins/pwstorage.py
new file mode 100644
index 0000000000..2ec66b795e
--- /dev/null
+++ b/src/lib389/lib389/cli_conf/plugins/pwstorage.py
@@ -0,0 +1,78 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2024 Red Hat, Inc.
+# All rights reserved.
+#
+# License: GPL (version 3 or any later version).
+# See LICENSE for details.
+# --- END COPYRIGHT BLOCK ---
+
+import json
+from lib389.password_plugins import (
+    PBKDF2Plugin,
+    PBKDF2SHA1Plugin,
+    PBKDF2SHA256Plugin,
+    PBKDF2SHA512Plugin
+)
+from lib389.cli_base import CustomHelpFormatter
+
+
+PBKDF2_VARIANTS = {
+    'pbkdf2': PBKDF2Plugin,
+    'pbkdf2-sha1': PBKDF2SHA1Plugin,
+    'pbkdf2-sha256': PBKDF2SHA256Plugin,
+    'pbkdf2-sha512': PBKDF2SHA512Plugin,
+}
+
+def _get_pbkdf2_plugin(inst, variant):
+    plugin_class = PBKDF2_VARIANTS.get(variant)
+    if plugin_class is None:
+        raise ValueError(f"Unsupported PBKDF2 variant: {variant}")
+    return plugin_class(inst)
+
+
+def pbkdf2_get_iterations(inst, basedn, log, args):
+    log = log.getChild('pbkdf2_get_iterations')
+    plugin = _get_pbkdf2_plugin(inst, args.variant)
+    
+    attr = 'nsslapd-pwdpbkdf2numiterations'
+    
+    if hasattr(args, 'json') and args.json:
+        vals = {}
+        rounds = plugin.get_rounds()
+        vals[attr] = [rounds]
+        print(json.dumps({
+            "type": "entry",
+            "dn": plugin._dn,
+            "attrs": vals
+        }, indent=4))
+    else:
+        rounds = plugin.get_rounds()
+        log.info(f'Current number of iterations for {args.variant}: {rounds}')
+
+
+def pbkdf2_set_iterations(inst, basedn, log, args):
+    log = log.getChild('pbkdf2_set_iterations')
+    plugin = _get_pbkdf2_plugin(inst, args.variant)
+    plugin.set_rounds(args.iterations)
+    log.info(f'Successfully set number of iterations for {args.variant} to {args.iterations}')
+
+
+def create_parser(subparsers):
+    pwstorage = subparsers.add_parser('pwstorage-scheme', help='Manage password storage scheme plugins',
+                                      formatter_class=CustomHelpFormatter)
+    scheme_subcommands = pwstorage.add_subparsers(help='scheme')
+
+    for variant in sorted(PBKDF2_VARIANTS.keys()):
+        variant_parser = scheme_subcommands.add_parser(variant, help=f'Manage {variant.upper()} scheme',
+                                                       formatter_class=CustomHelpFormatter)
+        
+        variant_subcommands = variant_parser.add_subparsers(help='action')
+
+        get_iter = variant_subcommands.add_parser('get-num-iterations', help='Get number of iterations',
+                                                  formatter_class=CustomHelpFormatter)
+        get_iter.set_defaults(func=pbkdf2_get_iterations, variant=variant)
+
+        set_iter = variant_subcommands.add_parser('set-num-iterations', help='Set number of iterations',
+                                                  formatter_class=CustomHelpFormatter)
+        set_iter.add_argument('iterations', type=int, help='Number of iterations (10,000-10,000,000)')
+        set_iter.set_defaults(func=pbkdf2_set_iterations, variant=variant)
diff --git a/src/lib389/lib389/password_plugins.py b/src/lib389/lib389/password_plugins.py
index a912407046..16f10f7339 100644
--- a/src/lib389/lib389/password_plugins.py
+++ b/src/lib389/lib389/password_plugins.py
@@ -1,6 +1,6 @@
 # --- BEGIN COPYRIGHT BLOCK ---
 # Copyright (C) 2018 William Brown <william@blackhats.net.au>
-# Copyright (C) 2023 Red Hat, Inc.
+# Copyright (C) 2024 Red Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
@@ -31,10 +31,6 @@ def __init__(self, instance, dn=None):
         # We'll mark this protected, and people can just disable the plugins.
         self._protected = True
 
-class PBKDF2Plugin(PasswordPlugin):
-    def __init__(self, instance, dn="cn=PBKDF2-SHA256,cn=Password Storage Schemes,cn=plugins,cn=config"):
-        super(PBKDF2Plugin, self).__init__(instance, dn)
-
 
 class SSHA512Plugin(PasswordPlugin):
     def __init__(self, instance, dn=f'cn=SSHA512,{DN_PWDSTORAGE_SCHEMES}'):
@@ -56,6 +52,74 @@ def __init__(self, instance, dn=f'cn=SSHA,{DN_PWDSTORAGE_SCHEMES}'):
         super(SSHAPlugin, self).__init__(instance, dn)
 
 
+class PBKDF2BasePlugin(PasswordPlugin):
+    """Base class for all PBKDF2 variants"""
+    DEFAULT_ROUNDS = 70000  # Fallback default if not specified by subclass
+
+    def __init__(self, instance, dn):
+        super(PBKDF2BasePlugin, self).__init__(instance, dn)
+        self._create_objectclasses.append('pwdPBKDF2PluginConfig')
+        
+    def set_rounds(self, rounds):
+        """Set the number of rounds for PBKDF2 hashing (requires restart)
+        
+        :param rounds: Number of rounds
+        :type rounds: int
+        """
+        # Ensure the pwdPBKDF2PluginConfig objectClass is present
+        self.ensure_present('objectClass', 'pwdPBKDF2PluginConfig')
+        
+        rounds = int(rounds)
+        if rounds < 10000 or rounds > 10000000:
+            raise ValueError("PBKDF2 rounds must be between 10,000 and 10,000,000")
+        self.replace('nsslapd-pwdPBKDF2NumIterations', str(rounds))
+        
+    def get_rounds(self):
+        """Get the current number of rounds
+        
+        :param use_json: Whether to return JSON formatted output
+        :type use_json: bool
+        :returns: Current rounds setting or JSON string
+        :rtype: int
+        """
+        rounds = self.get_attr_val_int('nsslapd-pwdPBKDF2NumIterations')
+        if rounds:
+            return rounds
+        return self.DEFAULT_ROUNDS
+
+
+class PBKDF2Plugin(PBKDF2BasePlugin):
+    """PBKDF2 password storage scheme"""
+    DEFAULT_ROUNDS = 70000
+
+    def __init__(self, instance, dn=f'cn=PBKDF2,{DN_PWDSTORAGE_SCHEMES}'):
+        super(PBKDF2Plugin, self).__init__(instance, dn)
+
+
+class PBKDF2SHA1Plugin(PBKDF2BasePlugin):
+    """PBKDF2-SHA1 password storage scheme"""
+    DEFAULT_ROUNDS = 70000
+
+    def __init__(self, instance, dn=f'cn=PBKDF2-SHA1,{DN_PWDSTORAGE_SCHEMES}'):
+        super(PBKDF2SHA1Plugin, self).__init__(instance, dn)
+
+
+class PBKDF2SHA256Plugin(PBKDF2BasePlugin):
+    """PBKDF2-SHA256 password storage scheme"""
+    DEFAULT_ROUNDS = 30000
+
+    def __init__(self, instance, dn=f'cn=PBKDF2-SHA256,{DN_PWDSTORAGE_SCHEMES}'):
+        super(PBKDF2SHA256Plugin, self).__init__(instance, dn)
+
+
+class PBKDF2SHA512Plugin(PBKDF2BasePlugin):
+    """PBKDF2-SHA512 password storage scheme"""
+    DEFAULT_ROUNDS = 10000
+
+    def __init__(self, instance, dn=f'cn=PBKDF2-SHA512,{DN_PWDSTORAGE_SCHEMES}'):
+        super(PBKDF2SHA512Plugin, self).__init__(instance, dn)
+
+
 class PasswordPlugins(Plugins):
     def __init__(self, instance):
         super(PasswordPlugins, self).__init__(instance=instance)
diff --git a/src/plugins/pwdchan/src/lib.rs b/src/plugins/pwdchan/src/lib.rs
index 7f938fccba..acccbabe80 100644
--- a/src/plugins/pwdchan/src/lib.rs
+++ b/src/plugins/pwdchan/src/lib.rs
@@ -4,19 +4,29 @@ extern crate slapi_r_plugin;
 use base64;
 use openssl::{hash::MessageDigest, pkcs5::pbkdf2_hmac, rand::rand_bytes};
 use slapi_r_plugin::prelude::*;
-use std::fmt;
+use std::fmt::Write;
+use std::sync::atomic::{AtomicUsize, Ordering};
+use std::convert::TryInto;
+use std::os::raw::c_char;
+
+const DEFAULT_PBKDF2_SHA1_ROUNDS: usize = 70_000;
+const DEFAULT_PBKDF2_SHA256_ROUNDS: usize = 30_000;
+const DEFAULT_PBKDF2_SHA512_ROUNDS: usize = 10_000;
+const MIN_PBKDF2_ROUNDS: usize = 10_000;
+const MAX_PBKDF2_ROUNDS: usize = 10_000_000;
+
+const PBKDF2_ROUNDS_ATTR: &str = "nsslapd-pwdPBKDF2NumIterations";
+// Each algorithm gets its own atomic counter for thread-safe round configuration
+static PBKDF2_ROUNDS: AtomicUsize = AtomicUsize::new(DEFAULT_PBKDF2_SHA1_ROUNDS);
+static PBKDF2_ROUNDS_SHA1: AtomicUsize = AtomicUsize::new(DEFAULT_PBKDF2_SHA1_ROUNDS);
+static PBKDF2_ROUNDS_SHA256: AtomicUsize = AtomicUsize::new(DEFAULT_PBKDF2_SHA256_ROUNDS);
+static PBKDF2_ROUNDS_SHA512: AtomicUsize = AtomicUsize::new(DEFAULT_PBKDF2_SHA512_ROUNDS);
 
-const PBKDF2_ROUNDS: usize = 10_000;
 const PBKDF2_SALT_LEN: usize = 24;
 const PBKDF2_SHA1_EXTRACT: usize = 20;
 const PBKDF2_SHA256_EXTRACT: usize = 32;
 const PBKDF2_SHA512_EXTRACT: usize = 64;
 
-pub mod pbkdf2;
-pub mod pbkdf2_sha1;
-pub mod pbkdf2_sha256;
-pub mod pbkdf2_sha512;
-
 struct PwdChanCrypto;
 
 // OpenLDAP based their PBKDF2 implementation on passlib from python, that uses a
@@ -42,6 +52,103 @@ macro_rules! ab64_to_b64 {
     }};
 }
 
+// Create a module for each plugin type to avoid name conflicts
+mod pbkdf2 {
+    use super::*;
+    
+    pub struct PwdChanPbkdf2;
+    slapi_r_plugin_hooks!(pwdchan_pbkdf2, PwdChanPbkdf2);
+    
+    impl super::Pbkdf2Plugin for PwdChanPbkdf2 {
+        fn digest_type() -> MessageDigest { MessageDigest::sha1() }
+        fn scheme_name() -> &'static str { "PBKDF2" }
+    }
+}
+
+mod pbkdf2_sha1 {
+    use super::*;
+    
+    pub struct PwdChanPbkdf2Sha1;
+    slapi_r_plugin_hooks!(pwdchan_pbkdf2_sha1, PwdChanPbkdf2Sha1);
+    
+    impl super::Pbkdf2Plugin for PwdChanPbkdf2Sha1 {
+        fn digest_type() -> MessageDigest { MessageDigest::sha1() }
+        fn scheme_name() -> &'static str { "PBKDF2-SHA1" }
+    }
+}
+
+mod pbkdf2_sha256 {
+    use super::*;
+    
+    pub struct PwdChanPbkdf2Sha256;
+    slapi_r_plugin_hooks!(pwdchan_pbkdf2_sha256, PwdChanPbkdf2Sha256);
+    
+    impl super::Pbkdf2Plugin for PwdChanPbkdf2Sha256 {
+        fn digest_type() -> MessageDigest { MessageDigest::sha256() }
+        fn scheme_name() -> &'static str { "PBKDF2-SHA256" }
+    }
+}
+
+mod pbkdf2_sha512 {
+    use super::*;
+    
+    pub struct PwdChanPbkdf2Sha512;
+    slapi_r_plugin_hooks!(pwdchan_pbkdf2_sha512, PwdChanPbkdf2Sha512);
+    
+    impl super::Pbkdf2Plugin for PwdChanPbkdf2Sha512 {
+        fn digest_type() -> MessageDigest { MessageDigest::sha512() }
+        fn scheme_name() -> &'static str { "PBKDF2-SHA512" }
+    }
+}
+
+// Common trait for PBKDF2 functionality
+trait Pbkdf2Plugin {
+    fn digest_type() -> MessageDigest;
+    fn scheme_name() -> &'static str;
+}
+
+// Implement common plugin functionality
+macro_rules! impl_slapi_pbkdf2_plugin {
+    ($plugin_type:ty) => {
+        impl SlapiPlugin3 for $plugin_type {
+            type TaskData = ();
+
+            fn start(pb: &mut PblockRef) -> Result<(), PluginError> {
+                log_error!(ErrorLevel::Trace, "{} plugin start", Self::scheme_name());
+                PwdChanCrypto::handle_pbkdf2_rounds_config(pb, Self::digest_type())?;
+                Ok(())
+            }
+
+            fn close(_pb: &mut PblockRef) -> Result<(), PluginError> {
+                log_error!(ErrorLevel::Trace, "{} plugin close", Self::scheme_name());
+                Ok(())
+            }
+
+            fn has_pwd_storage() -> bool { 
+                true 
+            }
+
+            fn pwd_scheme_name() -> &'static str {
+                Self::scheme_name()
+            }
+
+            fn pwd_storage_encrypt(cleartext: &str) -> Result<String, PluginError> {
+                PwdChanCrypto::pbkdf2_encrypt(cleartext, Self::digest_type())
+            }
+
+            fn pwd_storage_compare(cleartext: &str, encrypted: &str) -> Result<bool, PluginError> {
+                PwdChanCrypto::pbkdf2_compare(cleartext, encrypted, Self::digest_type())
+            }
+        }
+    };
+}
+
+// Apply the implementation to all plugin types
+impl_slapi_pbkdf2_plugin!(pbkdf2::PwdChanPbkdf2);
+impl_slapi_pbkdf2_plugin!(pbkdf2_sha1::PwdChanPbkdf2Sha1);
+impl_slapi_pbkdf2_plugin!(pbkdf2_sha256::PwdChanPbkdf2Sha256);
+impl_slapi_pbkdf2_plugin!(pbkdf2_sha512::PwdChanPbkdf2Sha512);
+
 impl PwdChanCrypto {
     #[inline(always)]
     fn pbkdf2_decompose(encrypted: &str) -> Result<(usize, Vec<u8>, Vec<u8>), PluginError> {
@@ -112,6 +219,8 @@ impl PwdChanCrypto {
     }
 
     fn pbkdf2_encrypt(cleartext: &str, digest: MessageDigest) -> Result<String, PluginError> {
+        let rounds = Self::get_pbkdf2_rounds(digest)?;
+
         let (hash_length, str_length, header) = if digest == MessageDigest::sha1() {
             (PBKDF2_SHA1_EXTRACT, 80, "{PBKDF2-SHA1}")
         } else if digest == MessageDigest::sha256() {
@@ -134,7 +243,7 @@ impl PwdChanCrypto {
         pbkdf2_hmac(
             cleartext.as_bytes(),
             &salt,
-            PBKDF2_ROUNDS,
+            rounds,
             digest,
             hash_input.as_mut_slice(),
         )
@@ -147,55 +256,151 @@ impl PwdChanCrypto {
         // Write the header
         output.push_str(header);
         // The iter + delim
-        fmt::write(&mut output, format_args!("{}$", PBKDF2_ROUNDS)).map_err(|e| {
+        write!(&mut output, "{}$", rounds).map_err(|e| {
             log_error!(ErrorLevel::Error, "Format Error -> {:?}", e);
             PluginError::Format
         })?;
         // the base64 salt
         base64::encode_config_buf(&salt, base64::STANDARD, &mut output);
         // Push the delim
-        output.push_str("$");
+        output.push('$');
         // Finally the base64 hash
         base64::encode_config_buf(&hash_input, base64::STANDARD, &mut output);
         // Return it
         Ok(output)
     }
 
-    // Remember, encrypted does *not* have the scheme prepended.
-    #[inline(always)]
-    fn pbkdf2_sha1_compare(cleartext: &str, encrypted: &str) -> Result<bool, PluginError> {
-        Self::pbkdf2_compare(cleartext, encrypted, MessageDigest::sha1())
+    // Private helper method to get the appropriate AtomicUsize reference
+    fn get_rounds_atomic(digest: MessageDigest) -> &'static AtomicUsize {
+        match digest {
+            d if d == MessageDigest::sha1() => &PBKDF2_ROUNDS_SHA1,
+            d if d == MessageDigest::sha256() => &PBKDF2_ROUNDS_SHA256,
+            d if d == MessageDigest::sha512() => &PBKDF2_ROUNDS_SHA512,
+            _ => &PBKDF2_ROUNDS,
+        }
     }
 
-    #[inline(always)]
-    fn pbkdf2_sha256_compare(cleartext: &str, encrypted: &str) -> Result<bool, PluginError> {
-        Self::pbkdf2_compare(cleartext, encrypted, MessageDigest::sha256())
-    }
+    fn handle_pbkdf2_rounds_config(pb: &mut PblockRef, digest: MessageDigest) -> Result<(), PluginError> {
+        let mut rounds = Self::get_rounds_atomic(digest).load(Ordering::Relaxed);
+        let mut source = "default";
 
-    #[inline(always)]
-    fn pbkdf2_sha512_compare(cleartext: &str, encrypted: &str) -> Result<bool, PluginError> {
-        Self::pbkdf2_compare(cleartext, encrypted, MessageDigest::sha512())
-    }
+        // Try to get the entry from the parameter block
+        let entry = pb.get_op_add_entryref()
+            .map_err(|_| PluginError::InvalidConfiguration)?;
 
-    #[inline(always)]
-    fn pbkdf2_sha1_encrypt(cleartext: &str) -> Result<String, PluginError> {
-        Self::pbkdf2_encrypt(cleartext, MessageDigest::sha1())
+        // Check if the rounds attribute exists and get its value
+        if let Some(value_array) = entry.get_attr(PBKDF2_ROUNDS_ATTR) {
+            if let Some(value) = value_array.first() {
+                let rounds_str: String = value
+                    .as_ref()
+                    .try_into()
+                    .map_err(|_| {
+                        log_error!(
+                            ErrorLevel::Error,
+                            "Failed to parse {} value",
+                            PBKDF2_ROUNDS_ATTR
+                        );
+                        PluginError::InvalidConfiguration
+                    })?;
+
+                rounds = rounds_str.parse::<usize>().map_err(|e| {
+                    log_error!(
+                        ErrorLevel::Error,
+                        "Invalid PBKDF2 number of iterations value '{}': {}",
+                        rounds_str,
+                        e
+                    );
+                    PluginError::InvalidConfiguration
+                })?;
+                source = "configuration";
+            }
+        }
+
+        Self::set_pbkdf2_rounds(digest, rounds)?;
+
+        let digest_name = if digest == MessageDigest::sha1() {
+            "SHA1"
+        } else if digest == MessageDigest::sha256() {
+            "SHA256"
+        } else if digest == MessageDigest::sha512() {
+            "SHA512"
+        } else {
+            "Unknown"
+        };
+
+        log_error!(
+            ErrorLevel::Plugin,
+            "handle_pbkdf2_rounds_config -> Number of iterations for PBKDF2-{} password scheme set to {} from {}",
+            digest_name,
+            rounds,
+            source
+        );
+        Ok(())
     }
 
-    #[inline(always)]
-    fn pbkdf2_sha256_encrypt(cleartext: &str) -> Result<String, PluginError> {
-        Self::pbkdf2_encrypt(cleartext, MessageDigest::sha256())
+    fn set_pbkdf2_rounds(digest: MessageDigest, rounds: usize) -> Result<(), PluginError> {
+        if rounds < MIN_PBKDF2_ROUNDS || rounds > MAX_PBKDF2_ROUNDS {
+            log_error!(
+                ErrorLevel::Error,
+                "Invalid PBKDF2 number of iterations {}, must be between {} and {}",
+                rounds,
+                MIN_PBKDF2_ROUNDS,
+                MAX_PBKDF2_ROUNDS
+            );
+            return Err(PluginError::InvalidConfiguration);
+        }
+
+        Self::get_rounds_atomic(digest).store(rounds, Ordering::Relaxed);
+        Ok(())
     }
 
-    #[inline(always)]
-    fn pbkdf2_sha512_encrypt(cleartext: &str) -> Result<String, PluginError> {
-        Self::pbkdf2_encrypt(cleartext, MessageDigest::sha512())
+    fn get_pbkdf2_rounds(digest: MessageDigest) -> Result<usize, PluginError> {
+        let rounds = Self::get_rounds_atomic(digest).load(Ordering::Relaxed);
+        let digest_name = if digest == MessageDigest::sha1() {
+            "SHA1"
+        } else if digest == MessageDigest::sha256() {
+            "SHA256"
+        } else if digest == MessageDigest::sha512() {
+            "SHA512"
+        } else {
+            "Unknown"
+        };
+
+        log_error!(
+            ErrorLevel::Error,
+            "get_pbkdf2_rounds -> PBKDF2 rounds for {} is {}",
+            digest_name,
+            rounds
+        );
+        Ok(rounds)
+        // Ok(Self::get_rounds_atomic(digest).load(Ordering::Relaxed))
     }
 }
 
 #[cfg(test)]
 mod tests {
+    use super::*;
     use crate::PwdChanCrypto;
+
+    struct TestPbkdf2Sha1;
+    struct TestPbkdf2Sha256;
+    struct TestPbkdf2Sha512;
+
+    impl Pbkdf2Plugin for TestPbkdf2Sha1 {
+        fn digest_type() -> MessageDigest { MessageDigest::sha1() }
+        fn scheme_name() -> &'static str { "PBKDF2-SHA1" }
+    }
+
+    impl Pbkdf2Plugin for TestPbkdf2Sha256 {
+        fn digest_type() -> MessageDigest { MessageDigest::sha256() }
+        fn scheme_name() -> &'static str { "PBKDF2-SHA256" }
+    }
+
+    impl Pbkdf2Plugin for TestPbkdf2Sha512 {
+        fn digest_type() -> MessageDigest { MessageDigest::sha512() }
+        fn scheme_name() -> &'static str { "PBKDF2-SHA512" }
+    }
+
     /*
      * '{PBKDF2}10000$IlfapjA351LuDSwYC0IQ8Q$saHqQTuYnjJN/tmAndT.8mJt.6w'
      * '{PBKDF2-SHA1}10000$ZBEH6B07rgQpJSikyvMU2w$TAA03a5IYkz1QlPsbJKvUsTqNV'
@@ -204,31 +409,123 @@ mod tests {
      * '{ARGON2}$argon2id$v=19$m=65536,t=2,p=1$IyTQMsvzB2JHDiWx8fq7Ew$VhYOA7AL0kbRXI5g2kOyyp8St1epkNj7WZyUY4pAIQQ'
      */
 
+    #[test]
+    fn test_pbkdf2_rounds_configuration() {
+        // Test different rounds for each algorithm
+        assert!(PwdChanCrypto::set_pbkdf2_rounds(MessageDigest::sha1(), 15000).is_ok());
+        assert!(PwdChanCrypto::set_pbkdf2_rounds(MessageDigest::sha256(), 20000).is_ok());
+        assert!(PwdChanCrypto::set_pbkdf2_rounds(MessageDigest::sha512(), 25000).is_ok());
+
+        // Verify each algorithm has its own rounds setting
+        assert_eq!(PwdChanCrypto::get_pbkdf2_rounds(MessageDigest::sha1()).unwrap(), 15000);
+        assert_eq!(PwdChanCrypto::get_pbkdf2_rounds(MessageDigest::sha256()).unwrap(), 20000);
+        assert_eq!(PwdChanCrypto::get_pbkdf2_rounds(MessageDigest::sha512()).unwrap(), 25000);
+    }
+
+    #[test]
+    fn test_pbkdf2_rounds_limits() {
+        // Test limits for SHA1
+        assert!(matches!(
+            PwdChanCrypto::set_pbkdf2_rounds(MessageDigest::sha1(), MAX_PBKDF2_ROUNDS + 1),
+            Err(PluginError::InvalidConfiguration)
+        ));
+        assert!(PwdChanCrypto::set_pbkdf2_rounds(MessageDigest::sha1(), MIN_PBKDF2_ROUNDS).is_ok());
+
+        // Test invalid rounds for SHA256 - too low
+        assert!(matches!(
+            PwdChanCrypto::set_pbkdf2_rounds(MessageDigest::sha256(), 5000),
+            Err(PluginError::InvalidConfiguration)
+        ));
+        assert!(PwdChanCrypto::set_pbkdf2_rounds(MessageDigest::sha256(), MAX_PBKDF2_ROUNDS).is_ok());
+
+        // Test invalid rounds for SHA512 - too high
+        assert!(matches!(
+            PwdChanCrypto::set_pbkdf2_rounds(MessageDigest::sha512(), 2_000_000),
+            Err(PluginError::InvalidConfiguration)
+        ));
+        assert!(PwdChanCrypto::set_pbkdf2_rounds(MessageDigest::sha512(), MIN_PBKDF2_ROUNDS).is_ok());
+    }
+
+    #[test]
+    fn test_pbkdf2_encrypt_with_different_rounds() {
+        // Set different rounds for each algorithm
+        PwdChanCrypto::set_pbkdf2_rounds(MessageDigest::sha1(), 15000).unwrap();
+        PwdChanCrypto::set_pbkdf2_rounds(MessageDigest::sha256(), 20000).unwrap();
+        PwdChanCrypto::set_pbkdf2_rounds(MessageDigest::sha512(), 25000).unwrap();
+
+        let test_password = "test_password";
+
+        // Test SHA1
+        let result = PwdChanCrypto::pbkdf2_encrypt(test_password, MessageDigest::sha1()).unwrap();
+        assert!(result.contains("15000$"));
+        let encrypted = result.replace("{PBKDF2-SHA1}", "");
+        assert!(PwdChanCrypto::pbkdf2_compare(
+            test_password,
+            &encrypted,
+            MessageDigest::sha1()
+        ).unwrap());
+
+        // Test SHA256
+        let result = PwdChanCrypto::pbkdf2_encrypt(test_password, MessageDigest::sha256()).unwrap();
+        assert!(result.contains("20000$"));
+        let encrypted = result.replace("{PBKDF2-SHA256}", "");
+        assert!(PwdChanCrypto::pbkdf2_compare(
+            test_password,
+            &encrypted,
+            MessageDigest::sha256()
+        ).unwrap());
+
+        // Test SHA512
+        let result = PwdChanCrypto::pbkdf2_encrypt(test_password, MessageDigest::sha512()).unwrap();
+        assert!(result.contains("25000$"));
+        let encrypted = result.replace("{PBKDF2-SHA512}", "");
+        assert!(PwdChanCrypto::pbkdf2_compare(
+            test_password,
+            &encrypted,
+            MessageDigest::sha512()
+        ).unwrap());
+    }
+
+    #[test]
+    fn test_pbkdf2_decompose() {
+        let valid_hash = "10000$salt123$hash456";
+        let result = PwdChanCrypto::pbkdf2_decompose(valid_hash);
+        assert!(result.is_ok());
+        let (iter, salt, hash) = result.unwrap();
+        assert_eq!(iter, 10000);
+
+        // Test invalid format
+        let invalid_hash = "invalid";
+        assert!(PwdChanCrypto::pbkdf2_decompose(invalid_hash).is_err());
+    }
+
     #[test]
     fn pwdchan_pbkdf2_sha1_basic() {
+        PwdChanCrypto::set_pbkdf2_rounds(MessageDigest::sha1(), 10000).unwrap();
+
         let encrypted = "10000$IlfapjA351LuDSwYC0IQ8Q$saHqQTuYnjJN/tmAndT.8mJt.6w";
-        assert!(PwdChanCrypto::pbkdf2_sha1_compare("password", encrypted) == Ok(true));
-        assert!(PwdChanCrypto::pbkdf2_sha1_compare("password!", encrypted) == Ok(false));
-        assert!(PwdChanCrypto::pbkdf2_sha1_compare("incorrect", encrypted) == Ok(false));
+        assert!(PwdChanCrypto::pbkdf2_compare("password", encrypted, MessageDigest::sha1()) == Ok(true));
+        assert!(PwdChanCrypto::pbkdf2_compare("password!", encrypted, MessageDigest::sha1()) == Ok(false));
+        assert!(PwdChanCrypto::pbkdf2_compare("incorrect", encrypted, MessageDigest::sha1()) == Ok(false));
 
-        // this value gave some invalid b64 errors due to trailing bits and padding.
         let encrypted = "10000$ZBEH6B07rgQpJSikyvMU2w$TAA03a5IYkz1QlPsbJKvUsTqNV";
-        assert!(PwdChanCrypto::pbkdf2_sha1_compare("password", encrypted) == Ok(true));
-        assert!(PwdChanCrypto::pbkdf2_sha1_compare("password!", encrypted) == Ok(false));
+        assert!(PwdChanCrypto::pbkdf2_compare("password", encrypted, MessageDigest::sha1()) == Ok(true));
+        assert!(PwdChanCrypto::pbkdf2_compare("password!", encrypted, MessageDigest::sha1()) == Ok(false));
 
-        let test_enc = PwdChanCrypto::pbkdf2_sha1_encrypt("password").expect("Failed to hash");
-        // Remove the header and check.
+        let test_enc = PwdChanCrypto::pbkdf2_encrypt("password", MessageDigest::sha1()).expect("Failed to hash");
         let test_enc = test_enc.replace("{PBKDF2-SHA1}", "");
-        assert!(PwdChanCrypto::pbkdf2_sha1_compare("password", &test_enc) == Ok(true));
-        assert!(PwdChanCrypto::pbkdf2_sha1_compare("password!", &test_enc) == Ok(false));
+        assert!(PwdChanCrypto::pbkdf2_compare("password", &test_enc, MessageDigest::sha1()) == Ok(true));
+        assert!(PwdChanCrypto::pbkdf2_compare("password!", &test_enc, MessageDigest::sha1()) == Ok(false));
     }
 
     #[test]
     fn pwdchan_pbkdf2_sha256_basic() {
+        PwdChanCrypto::set_pbkdf2_rounds(MessageDigest::sha256(), 10000).unwrap();
+
         let encrypted = "10000$henZGfPWw79Cs8ORDeVNrQ$1dTJy73v6n3bnTmTZFghxHXHLsAzKaAy8SksDfZBPIw";
-        assert!(PwdChanCrypto::pbkdf2_sha256_compare("password", encrypted) == Ok(true));
-        assert!(PwdChanCrypto::pbkdf2_sha256_compare("password!", encrypted) == Ok(false));
-        assert!(PwdChanCrypto::pbkdf2_sha256_compare("incorrect", encrypted) == Ok(false));
+        assert!(PwdChanCrypto::pbkdf2_compare("password", encrypted, MessageDigest::sha256()) == Ok(true));
+        assert!(PwdChanCrypto::pbkdf2_compare("password!", encrypted, MessageDigest::sha256()) == Ok(false));
+        assert!(PwdChanCrypto::pbkdf2_compare("incorrect", encrypted, MessageDigest::sha256()) == Ok(false));
 
         // This is a django password with their pbkdf2_sha256$ type.
         // "pbkdf2_sha256$36000$xIEozuZVAoYm$uW1b35DUKyhvQAf1mBqMvoBDcqSD06juzyO/nmyV0+w="
@@ -237,28 +534,30 @@ mod tests {
         //                      eElFb3p1WlZBb1lt
         let encrypted = "36000$eElFb3p1WlZBb1lt$uW1b35DUKyhvQAf1mBqMvoBDcqSD06juzyO/nmyV0+w=";
         assert!(
-            PwdChanCrypto::pbkdf2_sha256_compare("eicieY7ahchaoCh0eeTa", encrypted) == Ok(true)
+            PwdChanCrypto::pbkdf2_compare("eicieY7ahchaoCh0eeTa", encrypted, MessageDigest::sha256()) == Ok(true)
         );
-        assert!(PwdChanCrypto::pbkdf2_sha256_compare("password!", encrypted) == Ok(false));
+        assert!(PwdChanCrypto::pbkdf2_compare("password!", encrypted, MessageDigest::sha256()) == Ok(false));
 
-        let test_enc = PwdChanCrypto::pbkdf2_sha256_encrypt("password").expect("Failed to hash");
+        let test_enc = PwdChanCrypto::pbkdf2_encrypt("password", MessageDigest::sha256()).expect("Failed to hash");
         // Remove the header and check.
         let test_enc = test_enc.replace("{PBKDF2-SHA256}", "");
-        assert!(PwdChanCrypto::pbkdf2_sha256_compare("password", &test_enc) == Ok(true));
-        assert!(PwdChanCrypto::pbkdf2_sha256_compare("password!", &test_enc) == Ok(false));
+        assert!(PwdChanCrypto::pbkdf2_compare("password", &test_enc, MessageDigest::sha256()) == Ok(true));
+        assert!(PwdChanCrypto::pbkdf2_compare("password!", &test_enc, MessageDigest::sha256()) == Ok(false));
     }
 
     #[test]
     fn pwdchan_pbkdf2_sha512_basic() {
+        PwdChanCrypto::set_pbkdf2_rounds(MessageDigest::sha512(), 10000).unwrap();
+
         let encrypted = "10000$Je1Uw19Bfv5lArzZ6V3EPw$g4T/1sqBUYWl9o93MVnyQ/8zKGSkPbKaXXsT8WmysXQJhWy8MRP2JFudSL.N9RklQYgDPxPjnfum/F2f/TrppA";
-        assert!(PwdChanCrypto::pbkdf2_sha512_compare("password", encrypted) == Ok(true));
-        assert!(PwdChanCrypto::pbkdf2_sha512_compare("password!", encrypted) == Ok(false));
-        assert!(PwdChanCrypto::pbkdf2_sha512_compare("incorrect", encrypted) == Ok(false));
+        assert!(PwdChanCrypto::pbkdf2_compare("password", encrypted, MessageDigest::sha512()) == Ok(true));
+        assert!(PwdChanCrypto::pbkdf2_compare("password!", encrypted, MessageDigest::sha512()) == Ok(false));
+        assert!(PwdChanCrypto::pbkdf2_compare("incorrect", encrypted, MessageDigest::sha512()) == Ok(false));
 
-        let test_enc = PwdChanCrypto::pbkdf2_sha512_encrypt("password").expect("Failed to hash");
+        let test_enc = PwdChanCrypto::pbkdf2_encrypt("password", MessageDigest::sha512()).expect("Failed to hash");
         // Remove the header and check.
         let test_enc = test_enc.replace("{PBKDF2-SHA512}", "");
-        assert!(PwdChanCrypto::pbkdf2_sha512_compare("password", &test_enc) == Ok(true));
-        assert!(PwdChanCrypto::pbkdf2_sha512_compare("password!", &test_enc) == Ok(false));
+        assert!(PwdChanCrypto::pbkdf2_compare("password", &test_enc, MessageDigest::sha512()) == Ok(true));
+        assert!(PwdChanCrypto::pbkdf2_compare("password!", &test_enc, MessageDigest::sha512()) == Ok(false));
     }
 }
diff --git a/src/plugins/pwdchan/src/pbkdf2.rs b/src/plugins/pwdchan/src/pbkdf2.rs
deleted file mode 100644
index e8ee87b822..0000000000
--- a/src/plugins/pwdchan/src/pbkdf2.rs
+++ /dev/null
@@ -1,44 +0,0 @@
-use crate::PwdChanCrypto;
-use slapi_r_plugin::prelude::*;
-use std::os::raw::c_char;
-
-/*
- *                    /---- plugin ident
- *                    |          /---- Struct name.
- *                    V          V
- */
-slapi_r_plugin_hooks!(pwdchan_pbkdf2, PwdChanPbkdf2);
-
-// PBKDF2 == PBKDF2-SHA1
-struct PwdChanPbkdf2;
-
-impl SlapiPlugin3 for PwdChanPbkdf2 {
-    // We require a newer rust for default associated types.
-    type TaskData = ();
-
-    fn start(_pb: &mut PblockRef) -> Result<(), PluginError> {
-        log_error!(ErrorLevel::Trace, "plugin start");
-        Ok(())
-    }
-
-    fn close(_pb: &mut PblockRef) -> Result<(), PluginError> {
-        log_error!(ErrorLevel::Trace, "plugin close");
-        Ok(())
-    }
-
-    fn has_pwd_storage() -> bool {
-        true
-    }
-
-    fn pwd_scheme_name() -> &'static str {
-        "PBKDF2"
-    }
-
-    fn pwd_storage_encrypt(cleartext: &str) -> Result<String, PluginError> {
-        PwdChanCrypto::pbkdf2_sha1_encrypt(cleartext)
-    }
-
-    fn pwd_storage_compare(cleartext: &str, encrypted: &str) -> Result<bool, PluginError> {
-        PwdChanCrypto::pbkdf2_sha1_compare(cleartext, encrypted)
-    }
-}
diff --git a/src/plugins/pwdchan/src/pbkdf2_sha1.rs b/src/plugins/pwdchan/src/pbkdf2_sha1.rs
deleted file mode 100644
index 67afef5cbd..0000000000
--- a/src/plugins/pwdchan/src/pbkdf2_sha1.rs
+++ /dev/null
@@ -1,44 +0,0 @@
-use crate::PwdChanCrypto;
-use slapi_r_plugin::prelude::*;
-use std::os::raw::c_char;
-
-/*
- *                    /---- plugin ident
- *                    |          /---- Struct name.
- *                    V          V
- */
-slapi_r_plugin_hooks!(pwdchan_pbkdf2_sha1, PwdChanPbkdf2Sha1);
-
-// PBKDF2 == PBKDF2-SHA1
-struct PwdChanPbkdf2Sha1;
-
-impl SlapiPlugin3 for PwdChanPbkdf2Sha1 {
-    // We require a newer rust for default associated types.
-    type TaskData = ();
-
-    fn start(_pb: &mut PblockRef) -> Result<(), PluginError> {
-        log_error!(ErrorLevel::Trace, "plugin start");
-        Ok(())
-    }
-
-    fn close(_pb: &mut PblockRef) -> Result<(), PluginError> {
-        log_error!(ErrorLevel::Trace, "plugin close");
-        Ok(())
-    }
-
-    fn has_pwd_storage() -> bool {
-        true
-    }
-
-    fn pwd_scheme_name() -> &'static str {
-        "PBKDF2-SHA1"
-    }
-
-    fn pwd_storage_encrypt(cleartext: &str) -> Result<String, PluginError> {
-        PwdChanCrypto::pbkdf2_sha1_encrypt(cleartext)
-    }
-
-    fn pwd_storage_compare(cleartext: &str, encrypted: &str) -> Result<bool, PluginError> {
-        PwdChanCrypto::pbkdf2_sha1_compare(cleartext, encrypted)
-    }
-}
diff --git a/src/plugins/pwdchan/src/pbkdf2_sha256.rs b/src/plugins/pwdchan/src/pbkdf2_sha256.rs
deleted file mode 100644
index efe3fb3836..0000000000
--- a/src/plugins/pwdchan/src/pbkdf2_sha256.rs
+++ /dev/null
@@ -1,43 +0,0 @@
-use crate::PwdChanCrypto;
-use slapi_r_plugin::prelude::*;
-use std::os::raw::c_char;
-
-/*
- *                    /---- plugin ident
- *                    |          /---- Struct name.
- *                    V          V
- */
-slapi_r_plugin_hooks!(pwdchan_pbkdf2_sha256, PwdChanPbkdf2Sha256);
-
-struct PwdChanPbkdf2Sha256;
-
-impl SlapiPlugin3 for PwdChanPbkdf2Sha256 {
-    // We require a newer rust for default associated types.
-    type TaskData = ();
-
-    fn start(_pb: &mut PblockRef) -> Result<(), PluginError> {
-        log_error!(ErrorLevel::Trace, "plugin start");
-        Ok(())
-    }
-
-    fn close(_pb: &mut PblockRef) -> Result<(), PluginError> {
-        log_error!(ErrorLevel::Trace, "plugin close");
-        Ok(())
-    }
-
-    fn has_pwd_storage() -> bool {
-        true
-    }
-
-    fn pwd_scheme_name() -> &'static str {
-        "PBKDF2-SHA256"
-    }
-
-    fn pwd_storage_encrypt(cleartext: &str) -> Result<String, PluginError> {
-        PwdChanCrypto::pbkdf2_sha256_encrypt(cleartext)
-    }
-
-    fn pwd_storage_compare(cleartext: &str, encrypted: &str) -> Result<bool, PluginError> {
-        PwdChanCrypto::pbkdf2_sha256_compare(cleartext, encrypted)
-    }
-}
diff --git a/src/plugins/pwdchan/src/pbkdf2_sha512.rs b/src/plugins/pwdchan/src/pbkdf2_sha512.rs
deleted file mode 100644
index b0ed2bea8f..0000000000
--- a/src/plugins/pwdchan/src/pbkdf2_sha512.rs
+++ /dev/null
@@ -1,43 +0,0 @@
-use crate::PwdChanCrypto;
-use slapi_r_plugin::prelude::*;
-use std::os::raw::c_char;
-
-/*
- *                    /---- plugin ident
- *                    |          /---- Struct name.
- *                    V          V
- */
-slapi_r_plugin_hooks!(pwdchan_pbkdf2_sha512, PwdChanPbkdf2Sha512);
-
-struct PwdChanPbkdf2Sha512;
-
-impl SlapiPlugin3 for PwdChanPbkdf2Sha512 {
-    // We require a newer rust for default associated types.
-    type TaskData = ();
-
-    fn start(_pb: &mut PblockRef) -> Result<(), PluginError> {
-        log_error!(ErrorLevel::Trace, "plugin start");
-        Ok(())
-    }
-
-    fn close(_pb: &mut PblockRef) -> Result<(), PluginError> {
-        log_error!(ErrorLevel::Trace, "plugin close");
-        Ok(())
-    }
-
-    fn has_pwd_storage() -> bool {
-        true
-    }
-
-    fn pwd_scheme_name() -> &'static str {
-        "PBKDF2-SHA512"
-    }
-
-    fn pwd_storage_encrypt(cleartext: &str) -> Result<String, PluginError> {
-        PwdChanCrypto::pbkdf2_sha512_encrypt(cleartext)
-    }
-
-    fn pwd_storage_compare(cleartext: &str, encrypted: &str) -> Result<bool, PluginError> {
-        PwdChanCrypto::pbkdf2_sha512_compare(cleartext, encrypted)
-    }
-}
diff --git a/src/slapi_r_plugin/src/error.rs b/src/slapi_r_plugin/src/error.rs
index 228568efa0..be8a1cb1d3 100644
--- a/src/slapi_r_plugin/src/error.rs
+++ b/src/slapi_r_plugin/src/error.rs
@@ -24,6 +24,8 @@ pub enum PluginError {
     InvalidBase64 = 1009,
     OpenSSL = 1010,
     Format = 1011,
+    LockError = 1012,
+    InvalidConfiguration = 1013,
 }
 
 #[derive(Debug)]
diff --git a/src/slapi_r_plugin/src/pblock.rs b/src/slapi_r_plugin/src/pblock.rs
index 3ff6b9f9ca..18d54d47db 100644
--- a/src/slapi_r_plugin/src/pblock.rs
+++ b/src/slapi_r_plugin/src/pblock.rs
@@ -86,7 +86,7 @@ impl PblockRef {
         match unsafe { slapi_pblock_get(self.raw_pb, req_type as i32, value_ptr) } {
             0 => Ok(value),
             e => {
-                log_error!(ErrorLevel::Error, "enable to get from pblock -> {:?}", e);
+                log_error!(ErrorLevel::Error, "Unable to get from pblock -> {:?}", e);
                 Err(())
             }
         }
@@ -98,7 +98,7 @@ impl PblockRef {
         match unsafe { slapi_pblock_get(self.raw_pb, req_type as i32, value_ptr) } {
             0 => Ok(value),
             e => {
-                log_error!(ErrorLevel::Error, "enable to get from pblock -> {:?}", e);
+                log_error!(ErrorLevel::Error, "Unable to get from pblock -> {:?}", e);
                 Err(())
             }
         }

From 802fb91aa33b3b0332137fdf89f6c922f2cc67d2 Mon Sep 17 00:00:00 2001
From: Simon Pichugin <spichugi@redhat.com>
Date: Fri, 20 Dec 2024 09:33:37 -0800
Subject: [PATCH 2/2] Fix Pierre's comments

---
 .../tests/suites/password/pbkdf2_upgrade_plugin_test.py   | 8 ++++----
 dirsrvtests/tests/suites/pwp_storage/storage_test.py      | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/dirsrvtests/tests/suites/password/pbkdf2_upgrade_plugin_test.py b/dirsrvtests/tests/suites/password/pbkdf2_upgrade_plugin_test.py
index 65c9bed939..6652013b15 100644
--- a/dirsrvtests/tests/suites/password/pbkdf2_upgrade_plugin_test.py
+++ b/dirsrvtests/tests/suites/password/pbkdf2_upgrade_plugin_test.py
@@ -8,7 +8,7 @@
 #
 import pytest
 from lib389.topologies import topology_st
-from lib389.password_plugins import PBKDF2SHA512Plugin
+from lib389.password_plugins import PBKDF2SHA256Plugin
 from lib389.utils import ds_is_older
 
 pytestmark = pytest.mark.tier1
@@ -35,18 +35,18 @@ def test_pbkdf2_upgrade(topology_st):
 
     """
     # Remove the pbkdf2 plugin config
-    p1 = PBKDF2SHA512Plugin(topology_st.standalone)
+    p1 = PBKDF2SHA256Plugin(topology_st.standalone)
     assert(p1.exists())
     p1._protected = False
     p1.delete()
     # Restart
     topology_st.standalone.restart()
     # check it's been readded.
-    p2 = PBKDF2SHA512Plugin(topology_st.standalone)
+    p2 = PBKDF2SHA256Plugin(topology_st.standalone)
     assert(p2.exists())
     # Now restart to make sure we still work from the non-bootstrap form
     topology_st.standalone.restart()
-    p3 = PBKDF2SHA512Plugin(topology_st.standalone)
+    p3 = PBKDF2SHA256Plugin(topology_st.standalone)
     assert(p3.exists())
 
 
diff --git a/dirsrvtests/tests/suites/pwp_storage/storage_test.py b/dirsrvtests/tests/suites/pwp_storage/storage_test.py
index db254cdc73..4ee7e896be 100644
--- a/dirsrvtests/tests/suites/pwp_storage/storage_test.py
+++ b/dirsrvtests/tests/suites/pwp_storage/storage_test.py
@@ -390,7 +390,7 @@ def test_check_two_scheme(topo):
 
 @pytest.mark.skipif(ds_is_older('1.4'), reason="Not implemented")
 def test_check_pbkdf2_sha512(topo):
-    """Check password scheme PBKDF2-SHA512.
+    """Check password scheme PBKDF2-SHA512 is restored after deletion
 
     :id: 31612e7e-33a6-11ea-a750-8c16451d917b
     :setup: Standalone
@@ -409,7 +409,7 @@ def test_check_pbkdf2_sha512(topo):
     plg._protected = False
     plg.delete()
     topo.standalone.restart()
-    assert Config(topo.standalone).get_attr_val_utf8('passwordStorageScheme') == 'PBKDF2-SHA512'
+    assert Config(topo.standalone).get_attr_val_utf8('passwordStorageScheme') == value
     assert topo.standalone.status()
     user.delete()