Hi Benoit, I had a similar usecase before; It is definitely no good to store password in clear, and I would try and think about something a bit simpler than I/O encryption.
Have you considered to make openLdap delegates authorization service to AD for these users ? I've done that with cyrus-sasl, works great, passwords are never known to openLdap, it just send an authentification request to another directory for some users (not all) when he receives one. See http://www.openldap.org/doc/admin24/sasl.html The main benefit is that the passwords would be stored and managed only in AD (which is usually the master), so there will be no need to duplicate it in two places which is often a big pain to handle. Hope this help. Soisik On 26/01/2017 17:36, ROSELIER Benoit wrote:
Hi Sébastien, Thanks for reply I can’t store password in clear text due to corporate strategy and i’m interesting to use two-way encryption, but i don’t know how to do ? Regards, *De :*[email protected] [mailto:[email protected]] *De la part de* Sébastien Bahloul *Envoyé :* jeudi 26 janvier 2017 17:07 *À :* lsc-users <[email protected]> *Objet :* Re: [lsc-users] Need help to sync Password HI Benoit, In short you need the password in clear text to synchronize it to AD: From: http://lsc-project.org/wiki/documentation/howto/activedirectory, the approach you would probably interested in : Store passwords in your source repository, either in clear text or in a two-way encryption scheme (LSC includes tools to encrypt and decrypt such an algorithm: see here <http://lsc-project.org/wiki/documentation/latest/configuration/syncoptions/security>), then use LSC's AD tool-class <http://lsc-project.org/javadoc/latest/org/lsc/utils/directory/AD.html#getUnicodePwd(java.lang.String)> to update the password in AD. here <http://lsc-project.org/wiki/documentation/latest/configuration/syncoptions/activedirectory> an example how to do this. Regards, Sebastien BAHLOUL 2017-01-26 3:10 GMT-08:00 ROSELIER Benoit <[email protected] <mailto:[email protected]>>: Hello, I use LSC to synchronize an active directory from an openldap. I am perfectly able to synchronize my users and my groups but I block on the synchronization of the passwords. My passwords are hash in ssha in my OpenLdap, and I do not know how to retrieve them to pass them to Active directory. PS: My users use self-service password to change their password.I do not know if I can use it to indicate two destinations for changing the password (openldap and Active directory). Thanks for any suggestion. Regards _______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] <mailto:[email protected]> http://lists.lsc-project.org/listinfo/lsc-users _______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
_______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
