I have an OpenLDAP 2.4.23 server up and running in a Linux box L against which I can carry out password authentication on behalf of users logging into an embedded system E. To accomplish this, in L I have an LDIF file with entries along the following lines:

dn: uid=xxx,ou=yyy,dc=zzz,dc=com
uid: xxx
cn: xxx
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: ThisIsthePassword
shadowLastChange: 14014
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1003
gidNumber: 1003
homeDirectory: /home/xxx
gecos: ,,,

I would like to change this so that, when sending password information from my LDAP client in E to the LDAP server in L, the password itself is never sent in the clear. So I thought to change the value of the userPassword attribute to read

{SHA}3DRF4FXpG8r+Ki8i8azuZh7KwO8=

instead, where the string above was obtained by means of

slappasswd -v -s ThisIsthePassword -h "{SHA}"

in L.

After restarting the LDAP server in L, when user xxx logs into E with password "ThisIsthePassword" I can verify in the traces of the LDAP server (I am running it as slapd -d 255) that the client in E is sending the "3DRF4FXpG8r+Ki8i8azuZh7KwO8=" string, exactly as specified in the value of the userPassword attribute. However, the authentication is failing.

What is it exactly that the LDAP client in L is supposed to be sending to the LDAP server in this case? I noticed that if the client sends the actual "ThisIsthePassword" string instead the authentication also fails. I am obviously missing something here but, what is it?