On Apr 9, 2009, at 12:24 PM, Myles Merrell wrote:
I'm working on our LDAP server, we want to be sure to encrypt the
password. We also want to be able to decrypt the passwords if a
user loses their passwords, and we need to send it to them.
I've done a lot of research on encrypting the passwords, but none of
the methods I have seen allow you to easily decrypt the password
using a private key or something like that.
Is this possible, if so how?
There are a variety of password authentication scheme's that openldap
can use, some of which may keep your password in plaintext form, and
some that don't.
It also depends on what kind of effort you want your end-users to have
to use/update their password.
For example, I have an openldap setup which supports smd5 hashed
passwords, as well as sasl. sasl happens to store the plaintext
password in a separate database, with openldap holding just the smd5
hashed password. But, for the user to change their password, I had to
write a special app to update both locations at the same time. It was
non-trivial to get this system up and working (getting sasl & openldap
working together properly was a pain on my system).
If I had just supported smd5 hashed passwords, then users could use
the standard ldap tool to change their password.
However, 99 out of 100 security experts recommend just providing a
system to update passwords, rather than having a way to retrieve an