One thing to observe here is that _generally_ one does not want to reveal more information to a potential attacker than is necessary. In this case it may be useful for a bad guy to know that there is no plaintext password vs. only knowing that authentication failed. Put another way : attempts to authenticate generally result in a binary succeed/fail result (excepting perhaps cases like 'your password has expired, which is only returned when an old but valid password is presented). -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
