On 2013-06-03 20:46, Kurt@OpenLDAP.org wrote:

Not a bug...

Clear text passwords appear in userPassword without any RFC 2307 scheme, as in

userPassword: secret

not:

userPassword: {CLEARTEXT}secret

That's backwards. userPassword values without a {scheme} prefix are cleartext passwords. Values with a {scheme} prefix use that scheme.

This does not imply that a scheme can't be used which simply represents the passwords as-is, nor that slapd or slap tools have any business stripping away such a {scheme} prefix. In particular not when that's the only way to represent cleartext passwords starting with "{letters}".

Though possibly this would mean slapd needs a tweak to how it represents non-prefixed passwords internally, if it currently uses "{cleartext}" to tell itself that. I have not looked yet.