On 10-12-28 2:30 PM, Jan-Frode Myklebust wrote:
Do I understand the code correctly if I read that you're now using the
session key as a one-time-pad to encrypt/decrypt the password, and the
password is never stored un-encrypted anywhere ?
The password is still stored unencrypted in memcached for
SOGoCacheCleanupInterval seconds. This is avoid doing a bind on the LDAP
server for _each_ request coming in, in order to check the validity of
the password.
--
Ludovic Marcotte
[email protected] :: +1.514.755.3630 :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
--
[email protected]
https://inverse.ca/sogo/lists
