Thierry Lacoste wrote:
but when you do a slapcat or ldapsearch and the output is in LDIF format, the userpassword will be base_64 encoded, and it will look like this: userPassword:: e1NIQX1mRFlIdU9ZYnp4bEU2ZWhRT21ZUElmUzI4L0U9
Just out of curiosity why is it further encoded as everything in the userPassword is already base_64 encoded except the string {SHA}?
IIRC these tools try to hide the userPassword value from being viewed in case they contain clear-text passwords. It's kind of hard-coded. This protects only against a good admin accidentally reading passwords he don't want to know.
Note the :: before the value. This LDIF syntax indicates that the value is base64-encoded. For reading LDIF files I strongly recommend to use a decent LDIF parser available for your favorite scripting language instead of implementing naive string parsing yourself.
Ciao, Michael.