Hello,
reading RFC 2251 (pages 20 - 22), I understood that if a client uses the
simple authentication mechanism then the password must be in clear text.
Am I right or wrong?
Are there any means to exchange a non-clear text password (e.g. encrypted or
hashed) between a client and a server?
In theory, hashed passwords are used to validate clear text passwords. It's no
use to hash the password at the client, because the hashed password transferred
on the network can be repeated as the credential, just the same as clear text
passwords.
If you intend to resolve this security problem, you must use some shared
secret, random challenge or public key mechanisms.
Are there any means to store a non-clear text password (e.g. encrypted or
hashed) on the directory server database?
Sure, SHA and Unix are the most common used hash algorithms in
current directory servers.
Thank you
Laurent