On Friday 19 January 2007 10:32, Andris.Eiduks@tietoenator.com wrote:
Then do You recommend use only clearteaxt password from *client* side ?
If you store encrypted passwords in userPassword, and do simple binds, you *have* to send the cleartext password to authenticate. Sending it to change passwords is no additional disclosure.
Of course, if you use simple binds, you want to protect the transport (TLS/SSL) anyway (e.g. require all connections to be of a sufficient ssf, or have the ACLs on userPassword require a sufficient ssf).
And if *client" perform password encryption, then password history must be stored and compared by * client* side soft ?
Yes, since the client could use different encryption types each time (and use the same password 3 or more times).
Regards, Buchan