I'm agree with ogrisel. LDAP authentication process = receive a plain text password. The LDAP server is responsible of checking this plain text password (encrypt and check if equals)
If you want to secure the login process = use SSL /1/ HTTPS for the login page = attack "man in the middle" between the client and Nuxeo server is not possible /2/ LDAPS for connecting Nuxeo server to LDAP server = attack "man in the middle" between Nuxeo server and LDAP Server is not possible Even if Nuxeo server encrypts the password before authenticate against LDAP server, someone can intercept this encrypted password. If LDAP just check a equals, so this password is not stolen but the account is corrupted. PS: Sorry for my poor english. -- Posted by "sebastien.denef" at Nuxeo Discussions <http://nuxeo.org/discussions> View the complete thread: <http://www.nuxeo.org/discussions/thread.jspa?threadID=4011#12322> _______________________________________________ ECM mailing list [email protected] http://lists.nuxeo.com/mailman/listinfo/ecm To unsubscribe, go to http://lists.nuxeo.com/mailman/options/ecm
