Posted by scoomey on 10/07/26 11:53

Hi folks-
I've got an interesting problem. For our homebrewed PHP intranet
application, I will soon be required to give users access to their
email/calendar information from Microsoft Exchange.
I've found a nice set of classes that seems to pretty seemlessly
integrate PHP with Exchange via WebDAV. (Wish this could be done over
SOAP, but that's another issue entirely.)
Here's the issue:

Currently, I authenticate all users via LDAP to our Active Directory
domain. Since the app. does authentication this way, I can save and
pass their username/password combo to Exchange to get data when needed.

Here's the problem however.

1. I need to encrypt the passwords for database storage. No way on this
green earth would I store password data in the clear. OK, I'll use the
PHP mcrypt functions to encrypt the pwd, and then be able to decrypt it
to send it to Exchange.
2. My real issue lies in giving the application carte blanche access to
users' passwords. Sure, it's encrypted, but it has to be 2-way
encryption so my app (And in turn I) have access to the actual
passwords themselves. Bothers me to know that (as well as our InfoSec
officer. :) ).

Any ideas on how to save users' passwords while keeping the privacy of
the data?

thanks!

Shawn

[Back to original message]