On Wed, 27 Jan 2010 20:08:39 -0300, Ldap Tester <ldap.tester at gmail.com> wrote: > 2010/1/27 Sergio A. Morales <sergiomorales at archlinux.cl> > >> On Wed, 2010-01-27 at 19:43 -0300, Ldap Tester wrote: >> >> > But I have set >> > pam_password clear >> > in /etc/ldap.conf on both fedora machines. >> > I rely on ssl for security. >> > I had to do this in order to get password syncing with windows to work > at >> all. >> > >> > Shouldn't that take care of the problem you describe above? >> > -- >> > 389 users mailing list >> > 389-users at lists.fedoraproject.org >> > https://admin.fedoraproject.org/mailman/listinfo/389-users >> >> No. That only transmit the password "plain" to the 389DS. Then 389DS >> encript the password with SSHA, then MMR writes in the other server. >> >> So, F12 can't capture a plain password. >> >> Other option is set Password encript to CLEAR en your F11, but it's >> obviously insecure (go to 389-consle, then >> Configuration->DATA->Password->Password Encription in the bottom). >> >> > > Would that really be so insecure if I always use ssl? > Opinions? The point is that you will be able to see the user password. It's insecure for the users and it's not a quite good politic. Well that's my personal opinion. Saludos
