I have been struggling with this for days now, trying different setups to no avail. I have openldap 2.3.40 installed and functioning (at least enough to read) with a mysql backend that is configured through unixODBC. I want to map the 'userPassword' attribute to a Mysql view that will contain the information from our other Mysql databases, such as username, name_first, password, salt, etc. Now the problem becomes how to read the encrypted format of our passwords. Our passwords are stored in Mysql the following way-
/UPDATE user SET salt="'.$salt.'", password=SHA1(AES_ENCRYPT("'.$string.'","'.$salt.'")) WHERE id='.$this->id
/where salt is generated by-
/$salt = substr(md5(uniqid(rand(), true)), 0, 64);
/Now I know that openldap doesn't support AES_ENCRYPTION, however it does support SHA. Now, the problem with this setup seems to be that I can't find a way to un-SHA the passwords, and then have it do an AES_DECRYPT. So I have been trying to switch the SHA and AES around so that, when a password is stored it is actually SHA encrypted first, and then AES_ENCRYPTED over top of that (granted, not quite as secure). I think that would enable me to use the AES_DECRYPT function in my 'ldap_attr_mappings' table to read the decrypted AES passwords, and then just check them with SHA. I have been trying to figure out all the base64 encoding that I have to mess with to read the encrypted formats, with not much luck. Has anyone done anything similar to this before? Is there a better way to read our encrypted Mysql passwords? This ldap is going to be used for VPN authentication, so I'm not concerned with writing data to it, just need to be able to read a users password. Thanks.