Alan DeKok escribió:
Fco. Javier Melero wrote:Well, surely I'm missing something, but that's the way I've found to store clear text passwords in LDAP keeping some peace of mind. What could be the alternative?Storing them as clear-text. Encrypting them adds *zero* benefit, because application that needs the passwords has to be given the decryption key. Since the decryption key is scattered all over the place in your network, it's not adding much security. To put it another way, almost no one does what you're doing.
Maybe some context will help. What we are trying to do is implement a 802.1x wireless lan which can allow multiple EAP methods under the same SSID. If you want TTLS/PAP and PEAP/MSCHAP working together the only way is to use clear text passwords (or I think so). In our scenario, which is only a test so far, there will be no applications using this attribute. Radius server will be the only one which will have the private key, and hopefully keeping it as save as we could the whole system will have a reasonable security.
Are we driving ourselves insane? Tell me the truth ;-) Have a nice weekend. -- ========================================================= Fco. Javier Melero de la Torre Universidad Carlos III de Madrid Servicio de Informática y Comunicaciones Area de Seguridad y Comunicaciones (https://asyc.uc3m.es) e-mail: javier@di.uc3m.es phone: (+34) 916.249.980, (+34) 918.561.341 fax: (+34) 916.249.430 =========================================================