[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Passwords n stuff

Since you are using Linux, I assume you are using pam-ldap. If you set
access to attr=userPassword
by anonymous auth
in slapd.conf, and configure pam-ldap to bind anonymously, then instead of trying to read the userPassword attribute and compare to a locally computed hash, pam_ldap will just try to bind by sending a password. Since OpenLDAP does the hashing, your clients don't need to know anything about what hash to use.

Typically, you would then use SSL or TLS to mitigate the dangers associated with cleartext password, but if you are using cleartext password with pGINA anyway, this is a moot point.