we're facing the problem to connect a system of an external institution that requires passwords in cleartext. The system will be fed by our IM 4.5 over an encrypted LDAP connection, all passwords will be intercepted at their site and sent to their Kerberos. Afterwards they are stored reversibly encrypted. We don't have direct access to this Kerberos and whether we are overwhelmed by the beauty and cleverness of this approach or not will have little impact.

The question therefore arises, whether this is possible and how? I've fiddled around with Jim Willeke's DumpPasswordInformation tool and even managed to compile Timothy Patterson's "getpass" on SLES 12 after slightly modifying the included makefile. Therefore I'm confident that it should be possible, but will probably require a homemade variant of the IM LDAP driver. Since Geoffrey has pointed out a few weeks ago the DirXML dev kit "is ancient and barely updated", I feel it may be a good idea to ask the experts, which options seem preferably in this situation?

We'll start without any password management (except for delivering user's initial passwords) at all, meaning the external system will use their own for the time being. We intend to employ SSPR when we are finished with building our IDMS, though. At that time we'll need the LDAP driver functionality described. Thus far I haven't had the time to study SSPR in depth (and in practice!), but if SSPR offers some mechanism that could help with our problem, the aforementioned approaches may prove unnecessary at all.

So any advice would be appreciated.