[SATLUG] RE: kerberos
K. Spoon
kell at spoonix.com
Fri Dec 1 09:40:26 CST 2006
On Fri, Dec 01, 2006 at 09:21:17AM -0600, Justizin wrote:
> I can see how properly encrypted LDAP communications are rather
> secure, but consider that I will more or less need to hand out access
> to a database of a half million plus people to innumerate application
> developers at all levels of an international organization. Right now,
> Plone, which is going to be our core, encrypts passwords in such a way
> that I can reset them, but not read them. If you lose your password,
> much like with Yahoo or any other online service, you have to have a
> confirmation e-mail sent.
How does an md5 hash not satisfy this requirement? You don't have to
store passwords in LDAP in the clear... md5 and crypt are supported out
of the box.
If the concern is untrusted applications recording/intercepting the passwords
as the user types them in, then krb5 is probably your only hope.
--
K. Spoon <kell at spoonix.com>
More information about the SATLUG
mailing list