Myles Merrell wrote:
I'm working on our LDAP server, we want to be sure to encrypt the password.
Currently there's no password scheme implemented in OpenLDAP for reversible encryption of passwords (or other attributes).
We also want to be able to decrypt the passwords if a user loses their passwords, and we need to send it to them.
That's very bad practice for this use-case anyway. Good practice is to reset the password to a new (random) value and force the user to reset his password during next logon. => so you don't need reversible encryption for passwords at all
Normally I'm setting ACLs for userPassword to be *write-only*.
access to attrs=userPassword by group="cn=Password Admins,ou=Groups,dc=stroeder,dc=de" =wx by self =wx by * =x
Ciao, Michael.