site_archiver@lists.apple.com Delivered-To: darwin-dev@lists.apple.com On May 20, 2005, at 3:12 PM, Finlay Dobbie wrote: The manifestation of this is that you can't log in to the GUI whilst authenticating against an LDAP server whose user accounts have passwords stored in SHA-1 hashes, but you can log in using ssh (and possibly other stuff). -mb _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-dev mailing list (Darwin-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-dev/site_archiver%40lists.appl... Don't map the password attribute in the LDAPv3 Plug-in. DirectoryService will perform an LDAP bind to authent the user. iirc it will to aCRAM-MD5 bind if the server is capable. If I were you I'd disable clear-text binds. Or use ssl. At any rate giving the OS access to the hashes is a bad idea, since someone could brute force them. This email sent to site_archiver@lists.apple.com