10 Sep
2013
10 Sep
'13
7:35 p.m.
On 09/10/2013 06:54 PM, Arran Cudbard-Bell wrote:
On the registration page you use to 'activate' users accounts for the service, you get them to login. Once their password is verified against OpenLDAP you do an LDAP modify and store the plaintext version. This is exactly what we did at University of Sussex when we rolled out the service six years ago.
We opted to store NT-Password hashes. These are not really any more secure than cleartext, but at least you don't accidentally see the user's output in any directory dumps or debug output.
And be sure to set ACL's (Access Control Lists) on the password attributes so that only the admin and the radius process can read them. -- John