AW: AW: AW: AW: Freeradius + LDAP password trouble

John Dennis jdennis at
Mon Jul 19 17:24:43 CEST 2010

On 07/19/2010 10:20 AM, Lionne Stangier wrote in a private email:
> Thank you.
> I have to talk with the LDAP Admin. He should save the password clear text now.

[ Replying to the list even though this was a private email because I 
think this is important information ]

I just also want to make sure you understand there is some inherent risk 
with storing cleartext passwords and why the norm is to hash a passord 
before storage. It is *essential* the passwords are protected by ACL's. 
It would be a major security breach if someone could access your ldap 
directory and get access to a cleartext version of a password. Getting 
access to a hashed version is much less of a compromise but not without 
some risk as well, but with cleartext it's game over.

Also some ldap servers have the ability to reversibly encrypt an 
attribute such as a cleartext password so that what is stored on disk is 
not cleartext, which is one extra piece of protection (our 389-ds ldap 
server can do this).

Finally, you don't have to use cleartext if you pick your authentication 
mechanisms carefully, you can still use hashes. Consult the 
compatibility table, this is what I meant about having some decisions to 

John Dennis <jdennis at>

Looking to carve out IT costs?

More information about the Freeradius-Users mailing list