Hi Francesco,

On Thu, Nov 6, 2014 at 4:34 PM, Francesco Chicchiriccò
<ilgro...@apache.org> wrote:
> On 05/11/2014 19:09, Martin van Es wrote:
>> Hope this clarifies my endavours a bit.
>
>
> Only a bit, actually :-)
>
> But still I don't get why you are not just using AES on Syncope: any
> propagation will then be able to re-obtain clear-text password.
> Isn't this that you just need?

Yes, AES is key to my quest, but I want PWM to be the point where
people set and reset their password, not Syncope. PWM can only talk to
LDAP so I need to temporary write password plaintext to LDAP so
Syncope can pick it up. I don't want any plaintext password left in
LDAP after succesful synchronisation from LDAP to Syncope and back.
This can be accomplished by propagating the now AES encrypted password
in Syncope back to LDAP as SSHA hash (so far, so good).

But now, if I resync LDAP, the SSHA hash gets synced to Syncope,
because there is no plaintext password anymore and at this point I
loose the AES decryptable password in Syncopy. There is no way I can
tell Syncope to only accept plaintext passwords from LDAP and not the
SSHA hashed ones.

Regards,
Martin

Reply via email to