Confused on best secuirty method...

[bithead@bev.net (Matt Witherspoon)]

	I've been playing around with OpenLDAP here for the past week very 
throughly.. however I'm still a bit confused on what would be the most secure 
method of transmiting passwords and storing them as there seems to be lots of 
options. More than likely, I will be having one or two machines running slapd 
and slurpd, and then serveral other webservers making calls to these from 
various PHP scripts. What would be the best method of securing the passwords 
being transmitted between these LDAP servers and website server machines?
	MD5 or SSHA is the only method that I have been able to get to work 
correctly, and I guess that's called a 'simple bind.' While that seems 
perfectly fine to me to store that password in the directory as a MD5 or 
such, when logging in, isn't the MD5 or SSHA always going to be the same?? 
Correct me if I'm wrong there, but it seems like a 'replay' problem exsists 
still. Now I've been trying to figure out this SASL and Start TLS stuff, 
there seems to be almost no documentation on it so I havn't got far (if any 
one could point me to some info thanks!), but would those be any more secure 
than using MD5 or SSHA? Would those even work in PHP?
	I suppose one other option, would be to simply establish serveral SSH pipes 
to the various servers and then just use the MD5 or SSHA password 
trasmitting. This option makes the most sense to me right now as I don't 
understand SASL or TLS, addtionally it would not be hard to get PHP to work 
with that setup. Are there side effects to this setup that I am not seeing?

	So if anyone can shed some light on what I should be aiming for I'd really 
appricate it! Thanks again for any help.

    ~Matt Witherspoon