[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP Password Encryption

To: Myles Merrell <mmerrell@cleverex.com>
Subject: Re: OpenLDAP Password Encryption
From: Michael Ströder <michael@stroeder.com>
Date: Fri, 10 Apr 2009 12:14:57 +0200
Cc: openldap-software@openldap.org
In-reply-to: <49DE4B63.4010406@cleverex.com>
References: <49DE4B63.4010406@cleverex.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.21) Gecko/20090402 SeaMonkey/1.1.16

Myles Merrell wrote:
> 
> I'm working on our LDAP server, we want to be sure to encrypt the
> password.

Currently there's no password scheme implemented in OpenLDAP for
reversible encryption of passwords (or other attributes).

> We also want to be able to decrypt the passwords if a user
> loses their passwords, and we need to send it to them.

That's very bad practice for this use-case anyway. Good practice is to
reset the password to a new (random) value and force the user to reset
his password during next logon.
=> so you don't need reversible encryption for passwords at all

Normally I'm setting ACLs for userPassword to be *write-only*.

access to attrs=userPassword
    by group="cn=Password Admins,ou=Groups,dc=stroeder,dc=de" =wx
    by self =wx
    by * =x

Ciao, Michael.

References:
- OpenLDAP Password Encryption
  - From: Myles Merrell <mmerrell@cleverex.com>

Prev by Date: Re: openldap getting very slow
Next by Date: Re: Externalize access to a partial replica
Index(es):
- Chronological
- Thread