After importing users with the pbkdf2 algorithm, the users cannot log in. 

• pbkdf2 algorithm

• The algorithm is not correct
• The string value lacks salt
• The length is not correct
• The digest is not correct

The hash.value must be provided in the PHC string format The digest should be appended after the pbkdf2 part of the string with a dash:  pbkdf2-<digest>. 

“value”: “$pbkdf2-sha1$i=1000,l=64${salt}${hash}”

• i is the iteration count (integer)
• l is the derived key length / dklen (integer value equal to number of bytes. e.g. a 512 bit key would be 64 bytes)

Both the salt and hash need to be B64 encoded - i.e. base64 with padding characters omitted ('=').

A common pitfall is to use a B64 encoding tool that expects a UTF-8/ASCII string when the hash in the legacy system is encoded differently, for example hexadecimal. Please ensure the correct input encoding for the chosen tool is used when deriving the B64 encoded value for the import JSON.

Related References

• Bulk User Import Database Schema and Examples - PBKDF2
• PHC string format