Simple bind will reveal the password in clear. I do not think we want to do this for the same reasons we do not want to store them on the client machine. It will force us to use SSL. It is currently turned off for performance reasons. SASL will not give us the password in clear on the server side so we won't be able to generate the hashes.Currently we hook into the password change extended operation and provide a kpasswd service to ensure that Kerberos keys (and other hashes which are based on the user's password) are generated whenever a user changes her password. Would it be useful to also intercept the password used when a simple or SASL/PLAIN bind requests succeed, and take the opportunity to generate the hashes so that we can avoid forcing password changes?
Am I missing something? Dmitri