Issue #591 has been updated by David Coutadeur. Status changed from New to Closed % Done changed from 0 to 100
An example of such a script : passwordhk.pl is available in misc/ directory in the trunk and branches/v2.0 repository See r1826 for trunk and r1827 for branches/v2.0 The difficult point was here to understand and code the key padding (\0) and the cleartext padding (PKCS5-padding) used in the LSC. Warning : - ECB mode for AES is very weak and discouraged ! - the key written in a file very often contains a LF code to the end, which is taken as part of the key. (in LSC and in this script) - truncating the key with "\0" to 16 bytes (128 bits) is a security weakness, and is discouraged. ---------------------------------------- Feature #591: add script example for passwordhk (AES, SSHA) http://tools.lsc-project.org/issues/591 Author: David Coutadeur Status: Closed Priority: Normal Assigned to: David Coutadeur Category: Administration Target version: trunk Synchronization to Active Directory referentials sometimes implies password synchronization issues. In order to push a password to Active Directory, you must have it in cleartext mode. This is a security weakness, and the solution is to encrypt the password with a 2-way cipher algorithm, for example using LSC AES cipher capabilities. Sometimes, it is also a good idea to get the windows password changes back to the source directory. This can be done with the password filter hook. This component needs a script in order to achieve the password change. This script (in perl for example) would do the following : - compute AES password given the cleartext one (warning : in the same way as LSC do !), - compute SSHA password given the cleartext one, - push these passwords to a given ldap directory. (in the user entry specified by the sAMAccountName) -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://tools.lsc-project.org/my/account
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-dev mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-dev
