Index: extra/svn/Redmine.pm
===================================================================
--- extra/svn/Redmine.pm	(revision 13203)
+++ extra/svn/Redmine.pm	(working copy)
@@ -62,6 +62,8 @@
      # RedmineDbWhereClause "and members.role_id IN (1,2)"
      ## Optional credentials cache size
      # RedmineCacheCredsMax 50
+     ## Optional database_cipher_key
+     # RedmineDatabaseCipherKey "SecretKeyFromConfigurationYML"
   </Location>
 
 To be able to browse repository inside redmine, you must add something
@@ -188,6 +190,8 @@
 use Digest::SHA;
 # optional module for LDAP authentication
 my $CanUseLDAPAuth = eval("use Authen::Simple::LDAP; 1");
+# optional modules for decrypting ciphered LDAP bind passwords
+my $CanUseCiphering = eval("use Crypt::CBC; use MIME::Base64; 1");
 
 use Apache2::Module;
 use Apache2::Access;
@@ -233,6 +237,11 @@
     req_override => OR_AUTHCFG,
     args_how => TAKE1,
   },
+  {
+    name => 'RedmineDatabaseCipherKey',
+    req_override => OR_AUTHCFG,
+    args_how => TAKE1,
+  },
 );
 
 sub RedmineDSN {
@@ -486,6 +495,11 @@
               $bind_as =~ s/\$login/$redmine_user/g;
               $bind_pw = $redmine_pass
             }
+
+            if((defined $cfg->{RedmineDatabaseCipherKey}) and $CanUseCiphering) {
+                $bind_pw = decrypt_text($bind_pw, $cfg->{RedmineDatabaseCipherKey});
+            }
+
             my $ldap = Authen::Simple::LDAP->new(
                 host    =>      ($rowldap[2] eq "1" || $rowldap[2] eq "t") ? "ldaps://$rowldap[0]:$rowldap[1]" : $rowldap[0],
                 port    =>      $rowldap[1],
@@ -541,4 +555,43 @@
     return DBI->connect($cfg->{RedmineDSN}, $cfg->{RedmineDbUser}, $cfg->{RedmineDbPass});
 }
 
+sub RedmineDatabaseCipherKey {
+    my ($self, $parms, $arg) = @_;
+
+    if ($arg) {
+        $self->{RedmineDatabaseCipherKey} = $arg;
+    }
+}
+
+sub decrypt_text {
+    my $text = shift;
+    my $key = shift;
+
+    die "text needed" unless defined $text;
+    die "key needed" unless defined $key;
+
+    if ((length $key > 0) and ($text =~ /\Aaes-256-cbc:(.+)\Z/)) {
+        my ($e, $iv) = split /--/, $1;
+
+        $e = decode_base64($e);
+        $iv = decode_base64($iv);
+        $key = substr Digest::SHA::sha256_hex($key), 0, 32;
+
+        my $cipher = Crypt::CBC->new(
+                -cipher      => 'Rijndael',
+                -key         => $key,
+                -iv          => $iv,
+                -literal_key => 1,
+                -padding     => 'standard',
+                -header      => 'none',
+                -blocksize   => 16,
+                -keysize     => 32
+                );
+
+        $cipher->decrypt($e);
+    } else {
+        $text;
+    }
+}
+
 1;