Matthew Crocker wrote: > 1). Pull the UserPassword attribute from the LDAP server and > authenticate the supplied password locally. This way will only support > Crypt > > Option 1 is bad because the LDAP server is sending the passwords over > the wire (TLS or not it is still bad). You should lock down your LDAP > server to not allow read access to userPassword except to authenticate.
It's only bad if your LDAP server is either on the Internet, or you have people sniffing for passwords on your LAN. Which should probably be fired in the first place.
