Hi Francesco, On Thu, Nov 6, 2014 at 4:34 PM, Francesco Chicchiriccò <ilgro...@apache.org> wrote: > On 05/11/2014 19:09, Martin van Es wrote: >> Hope this clarifies my endavours a bit. > > > Only a bit, actually :-) > > But still I don't get why you are not just using AES on Syncope: any > propagation will then be able to re-obtain clear-text password. > Isn't this that you just need?
Yes, AES is key to my quest, but I want PWM to be the point where people set and reset their password, not Syncope. PWM can only talk to LDAP so I need to temporary write password plaintext to LDAP so Syncope can pick it up. I don't want any plaintext password left in LDAP after succesful synchronisation from LDAP to Syncope and back. This can be accomplished by propagating the now AES encrypted password in Syncope back to LDAP as SSHA hash (so far, so good). But now, if I resync LDAP, the SSHA hash gets synced to Syncope, because there is no plaintext password anymore and at this point I loose the AES decryptable password in Syncopy. There is no way I can tell Syncope to only accept plaintext passwords from LDAP and not the SSHA hashed ones. Regards, Martin