[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP Password Encryption
Myles Merrell wrote:
>
> I'm working on our LDAP server, we want to be sure to encrypt the
> password.
Currently there's no password scheme implemented in OpenLDAP for
reversible encryption of passwords (or other attributes).
> We also want to be able to decrypt the passwords if a user
> loses their passwords, and we need to send it to them.
That's very bad practice for this use-case anyway. Good practice is to
reset the password to a new (random) value and force the user to reset
his password during next logon.
=> so you don't need reversible encryption for passwords at all
Normally I'm setting ACLs for userPassword to be *write-only*.
access to attrs=userPassword
by group="cn=Password Admins,ou=Groups,dc=stroeder,dc=de" =wx
by self =wx
by * =x
Ciao, Michael.