Scott Classen writes:
I'm not sure if this is truly a vulnerability, but I thought I'd put it out there for discussion. (...) When I back up the bdb database via slapcat -l backup.ldif the userPassword field looks to be Base64 hashed. (...) but the passwd history leaves the passwd hashes visible.
If you can get at the base64 representation, you can also base64-decode it. However if a userPassword contains a plaintext password and is not base64-encoded, you can then accidentally display the password for others to see. I think that's why userPassword is displayed in base64.
I don't remember if pwdHistory can contain a currently active password? Otherwise it doesn't seem much of a problem.
But this reminds me - there are also back-config attributes which contain passwords, in particular olcRootPW. I'm not sure that is a problem though. Hopefully people are more careful with who is looking when they are playing with cn=config, in particular if they have plaintext passwords there. And base64-encoding it could frustrate people who _want_ to read it. I don't know whether the best approach is to base64 those attributes or leave them alone.