It is still confusing to me.  I wonder if it is true that a plaintext 
password would be transfered over the network in the case that we use 
the plaintext password to bind  with AD. If this is correct, there is no 
security. I guess there should be an efficient way to work it out.

James

Francis Cianfrocca wrote:
> On 8/22/07, James Yang <macinux / gmail.com> wrote:
>>
>> Thanks Francis, but I am still confused. what you mean we have to use
>> password in plain text to bind with Active Directory? Because the
>> password would be saved in a configuration file, which is vulnerable.
>> I'd like to save the hashed password in the configuration to bind with
>> AD. I just changed the group policy on AD to allow "store passwords
>> using reversible encryption" But it still takes the plain text binding
>> and gives the error to the MD5 hashed password.
> 
> 
> 
> If you saved a password-hash in a configuration file, and it were 
> possible
> to bind with the password-hash, then the hash is in effect plaintext. 
> You're
> not adding any security by using a hash in that circumstance. This is a
> difficult problem. If you're trying to enable an automatic login without 
> any
> kind of authentication transaction involving a challenge, then somewhere
> along the way you will have a sensitive resource that you have to 
> protect as
> best you can.

-- 
Posted via http://www.ruby-forum.com/.