[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP Password Encryption

Myles Merrell wrote:
> I'm working on our LDAP server, we want to be sure to encrypt the
> password.

Currently there's no password scheme implemented in OpenLDAP for
reversible encryption of passwords (or other attributes).

> We also want to be able to decrypt the passwords if a user
> loses their passwords, and we need to send it to them.

That's very bad practice for this use-case anyway. Good practice is to
reset the password to a new (random) value and force the user to reset
his password during next logon.
=> so you don't need reversible encryption for passwords at all

Normally I'm setting ACLs for userPassword to be *write-only*.

access to attrs=userPassword
    by group="cn=Password Admins,ou=Groups,dc=stroeder,dc=de" =wx
    by self =wx
    by * =x

Ciao, Michael.