9 Dec
2005
9 Dec
'05
5:11 p.m.
"Brian A. Seklecki" <lavalamp@spiritual-machines.org> wrote:
If on the authorization stage, the module can read (and cache) the entire DN's attribute set (actually, any DN in the LDAP), why does it need to use a "re-connect as the user" method for authentication?
Because some LDAP servers don't supply the password. Also, some administrators use LDAP only for authentication.
If the password in cleartext, comparison is easy. If it's in SSHA/SHA/MD5/blowfish/crypt, then the comparison can happen against those algorithms.
Which is the default behavior of the server. Alan DeKok.