LDAP BIND passwords are stored as cleartext in the addrbook--index.xml file. (I have no knowledge of the LDAP protocol, so I am not sure if something is stopping the LDAP bind password being treated the same way as e-mail account passwords and being hashed, or if it's a similar issue to pidgin's password storage, where it needs to be able to decode the password anyway, so doing anything to encrypt it solely based on claws-mail code would be inherently insecure (since anyone with the codebase would be able to decrypt it as well).) Ignoring run-on sentences, it would be nice if claws could encrypt the passwords it stores for LDAP, or at least if there were an explanation (and warning!) as to why it is not.
E-Mail passwords need to be decryptable, too, so they can't just be stored as a hash either. Be aware that you don't have hard security on them. That being said, LDAP passwords could indeed be treated the same way and at least be stored scrambled to be at least less obvious.
Changes related to this bug have been committed. Please check latest CVS and update the bug accordingly. You can also get the patch from: http://www.colino.net/claws-mail/ 2010-02-03 [mir] 3.7.5cvs5 * src/addrindex.c * src/editldap.c * src/ldapctrl.c * src/ldapctrl.h * src/ldapquery.c * src/ldapupdate.c Save LDAP password encrypted. See bug 2113.
Fixed in 3.7.5cvs5
Forgot to explain behavior: To encrypt password for current LDAP connections open the edit dialog a press the OK button otherwise the address book will continue to work with the old password unencrypted.
Wow, thanks for the quick response, Michael. Seems to work well, although I hope nobody has passwords starting with an exclamation point...
I know:-) But it is a trade-off to avoid annoying users with current LDAP accounts.