passwords should (almost) always be stored in a non-reversable hash (MD5, SHA-1, etc) - you'll certainly need to know the algorithm if you're going to duplicate the plain-text->hash-value to compare, but it sounds like you won't have the plaintext password (which is good from a security point of view) so you'll want to consider a "single-sign-on" approach. i'm not 100% savy on LDAP beyond the basic JNDI-centric view (it's a tree of HashMaps of name-value pairs with paths) but i'm certain there are single-sign-on approaches that fully leverage LDAP that you'll want to at least consider.
for my authentication i actually use digitally signed messages - the client application specifies the user and includes the uid and a canned password as a digest in the request, but then the whole SOAP Body + UsernameToken is signed using the client's private key which i verify on the server. i left those bits out of the server-config.wsdd to keep the email sizes down. ..............ron. > Ok...i guess i misunderstood your text. So i might be able to avoid > needing the plaintext pw in the service. How can i nevertheless use > encrypted passwords? What kind of passwords are you using? The problem > is that i dont know how the pw in ldap was encrypted. > Thx for your help! > Michael >