--On Wednesday, April 11, 2007 3:21 PM -0400 Thierry Moreau
<[EMAIL PROTECTED]> wrote:
Quanah Gibson-Mount wrote:
I'm curious why you think only plain text passwords get stored in
OpenLDAP. Have you actually read the documentation? Most people use
hashes.
I don't think plain text is the only option. My wording was inaccurate in
this respect.
I know that salted hashed offers good protection against off-line
password guessing directory attacks, but this is lesser protection than
what would be offered by genuine encryption with good key management.
I know that some protocol-side (challenge-response type) require
in-memory access to plain text passwords, which can not be recovered from
hashed or salted hashed representations.
Ah, okay. Well, in any case, I don't store any passwords in my directory.
We have a central Kerberos KDC, the LDAP server is only used for
authorization (via SASL/GSSAPI binds), so there is never any password
involved. Certainly things like SASL/EXTERNAL with certs could be used
similarly. So I can't more specifically answer your questions. ;)
--Quanah
--
Quanah Gibson-Mount
Senior Systems Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
---
You are currently subscribed to ldap@umich.edu as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the
SUBJECT of the message.
