On Friday 19 January 2007 10:32, Andris.Eiduks@tietoenator.com wrote: > Then do You recommend use only clearteaxt password from *client* side ? If you store encrypted passwords in userPassword, and do simple binds, you *have* to send the cleartext password to authenticate. Sending it to change passwords is no additional disclosure. Of course, if you use simple binds, you want to protect the transport (TLS/SSL) anyway (e.g. require all connections to be of a sufficient ssf, or have the ACLs on userPassword require a sufficient ssf). > And if *client" perform password encryption, then password history must > be stored and compared by * client* side soft ? Yes, since the client could use different encryption types each time (and use the same password 3 or more times). Regards, Buchan -- Buchan Milne ISP Systems Specialist - Monitoring/Authentication Team Leader B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)
Attachment:
pgpssCQXteP7j.pgp
Description: PGP signature