Password Encryption
Hi,
I noticed the iwtUser-IMAPPassword is encrypted, but still readable from the
portal server. Also the iwtUser-WWW-Authorization uses an encrypted
password.
I assume the portal server contains some crypt/decrypt functions to create
these encrypte passwords?
Since I also want to store some passwords in the profile-ldap, I would like
to know if it's possible to call these crypt/decrypt functions in my code ?
Some help on this one would be great :)
Kind Regards,
Stephen Trap
EurASP
http://www.eurasp.com
[594 byte] By [
] at [2007-11-25 4:32:30]
You probably don't want to rely on portal to store passwords for you.
Although iwtUser-IMAPPassword is encrypted an in SHA hash in ldap,
decrypting it just relies on knowing the ldap admin password. This is
stored by iPS in cleartext in a file.
So if you try:
ipsadmin get user /domain/userid
it uses the ldap admin password, to decrypt and show the users password
to you. So anyone with root access to your machine can easily get a
listing of all your users passwords.
I've opted to force users to enter their IMAP password every time they
login to avoid storing it in LDAP. This idea doesn't work with the iPS
supplied mail clients or the mobile access pack/iwtMailProvider channel.
Stephen Trap wrote:
>
> Hi,
>
> I noticed the iwtUser-IMAPPassword is encrypted, but still readable from the
> portal server. Also the iwtUser-WWW-Authorization uses an encrypted
> password.
> I assume the portal server contains some crypt/decrypt functions to create
> these encrypte passwords?
> Since I also want to store some passwords in the profile-ldap, I would like
> to know if it's possible to call these crypt/decrypt functions in my code ?
>
> Some help on this one would be great :)
>
> Kind Regards,
>
> Stephen Trap
> EurASP
> http://www.eurasp.com
at 2007-6-29 2:41:30 >
