To answer myself, I thought I could tackle this by setting the password plaintext in LDAP using PWM (using a plaintext password_hash rule in slapd) and then sync it to Syncope and have it set by it's SSHA equivalent while propagating the change back to the directory. This way, the plaintext password would only exist in LDAP in a small time window between syncs?
But alas, I just learned that the connid LDAP connector does not support sync, unless you're using Sun Directory Server Enterprise Edition? Is this true? Is there no sync possible from LDAP? Regards, Martin On Mon, Oct 27, 2014 at 7:53 PM, Martin van Es <mrva...@gmail.com> wrote: > Hi, > > I'd like to use PWM for Password Self-service management, but that > will only let me set passwords for users in an LDAP server. > > https://code.google.com/p/pwm/ > > How would I make (Open)LDAP password leading for all passwords, but > keep Syncope for propagating users (including passwords) to target > applications? Of course, I could make all client applications > authenticate agains LDAP, but that would solve the problem only in > application layer and needs suitable applications. I'm trying to see > if this problem also has a solution in data layer. > > This hypothetical excercise would require a 2-way encrypted password > setup between OpenLDAP and Syncope. Is this a possible scenario? Would > PLAINTEXT Passwords in LDAP be the only solution? Maybe changing PWM > so that the password would be AES encrypted into a pwd transport > attribute, which could be picked up by Syncope and propagated to LDAP > and other applications? > > Of course, I'm looking at NetIQ/eDir/SSPR as a commercial example IdM > system for my question. It would be nice if Syncope+OpenLDAP+PWM could > do this trick as well ;) > > Regards, > Martin > -- > If 'but' was any useful, it would be a logic operator -- If 'but' was any useful, it would be a logic operator
