[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP Password Encryption

To: openldap-software@openldap.org
Subject: Re: OpenLDAP Password Encryption
From: Eli Bach <ebach2@gmail.com>
Date: Thu, 9 Apr 2009 16:49:18 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:from:to :in-reply-to:content-type:content-transfer-encoding:subject :mime-version:date:references:x-mailer; bh=8Uc8A4ln72hfNQBNwGzmopiNu1Q4u8pD6+ofYKobxHM=; b=jw4y/nEt8zFqU+oj87nc8V+bBZRxg73WWHCpoxz3g3Rbf3wdlnH/ktQ2MLBvaHj7a5 6mzSoFCzRKKlkQQLkK0XdWvImWB4gCz/zY4h2rgM2k2AGAZb990kbyX6zy+mCU4oQjhf uTPPi0iQmXcQEZkWgqpjNaAxAFoFclWPO6MB8=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:from:to:in-reply-to:content-type :content-transfer-encoding:subject:mime-version:date:references :x-mailer; b=QpT8FF7mcZdXa21eoMHQ1h68P/Xh3dlv99jJWl4mz2GZwULhazN43GRuEPZSzVA/V8 RAxxVDCX+6AXlLrPHqR9HMiemvDkj0YH2XH3VynIgfGgxV/+weFNkP+JNV46CgKPXX+j tlh0Fvzhj3kVTtkzCzJL6SasK26puUX9/Sj9Y=
In-reply-to: <49DE4B63.4010406@cleverex.com>
References: <49DE4B63.4010406@cleverex.com>


On Apr 9, 2009, at 12:24 PM, Myles Merrell wrote:

I'm working on our LDAP server, we want to be sure to encrypt thepassword. We also want to be able to decrypt the passwords if auser loses their passwords, and we need to send it to them.
I've done a lot of research on encrypting the passwords, but none ofthe methods I have seen allow you to easily decrypt the passwordusing a private key or something like that.
Is this possible, if so how?

thanks.
myles.


"It Depends".

There are a variety of password authentication scheme's that openldapcan use, some of which may keep your password in plaintext form, andsome that don't.

It also depends on what kind of effort you want your end-users to haveto use/update their password.

For example, I have an openldap setup which supports smd5 hashedpasswords, as well as sasl. sasl happens to store the plaintextpassword in a separate database, with openldap holding just the smd5hashed password. But, for the user to change their password, I had towrite a special app to update both locations at the same time. It wasnon-trivial to get this system up and working (getting sasl & openldapworking together properly was a pain on my system).

If I had just supported smd5 hashed passwords, then users could usethe standard ldap tool to change their password.

However, 99 out of 100 security experts recommend just providing asystem to update passwords, rather than having a way to retrieve anexisting password.

Eli

References:
- OpenLDAP Password Encryption
  - From: Myles Merrell <mmerrell@cleverex.com>

Prev by Date: OpenLDAP Password Encryption
Next by Date: Re: openldap getting very slow
Index(es):
- Chronological
- Thread