On 09/10/2013 06:54 PM, Arran Cudbard-Bell wrote: > On the registration page you use to 'activate' users accounts for the > service, you get them to login. Once their password is verified > against OpenLDAP you do an LDAP modify and store the plaintext > version. This is exactly what we did at University of Sussex when we > rolled out the service six years ago. > > We opted to store NT-Password hashes. These are not really any more > secure than cleartext, but at least you don't accidentally see the > user's output in any directory dumps or debug output.
And be sure to set ACL's (Access Control Lists) on the password attributes so that only the admin and the radius process can read them. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
