On Apr 9, 2009, at 12:24 PM, Myles Merrell wrote:

I'm working on our LDAP server, we want to be sure to encrypt the password. We also want to be able to decrypt the passwords if a user loses their passwords, and we need to send it to them.

I've done a lot of research on encrypting the passwords, but none of the methods I have seen allow you to easily decrypt the password using a private key or something like that.

Is this possible, if so how?

thanks. myles.

"It Depends".

There are a variety of password authentication scheme's that openldap can use, some of which may keep your password in plaintext form, and some that don't.

It also depends on what kind of effort you want your end-users to have to use/update their password.

For example, I have an openldap setup which supports smd5 hashed passwords, as well as sasl. sasl happens to store the plaintext password in a separate database, with openldap holding just the smd5 hashed password. But, for the user to change their password, I had to write a special app to update both locations at the same time. It was non-trivial to get this system up and working (getting sasl & openldap working together properly was a pain on my system).

If I had just supported smd5 hashed passwords, then users could use the standard ldap tool to change their password.

However, 99 out of 100 security experts recommend just providing a system to update passwords, rather than having a way to retrieve an existing password.

Eli