[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLdap Clear-text Password in Debug Mode
On Mon, Nov 30, 2015 at 02:20:44PM -0500, Rich Alford wrote:
Theoretically, the password should be hashed on the client, sent across
the network, to be compared against the hashed passwords in the
database.
The client has no idea how the server stores or hashes passwords. The
server might not even store them directly, but could be passing them to
a third party (f.ex. a Kerberos KDC) for verification. So the client
sends the password to the server in the clear (but protected by TLS),
and the server verifies the password however it's configured to, in your
case by hashing it and comparing the hash to the stored hash.