And quite right too! You really don't want to make it any easier for an attacker to search for weak passwords.
*sigh*
I dislike misguided attempts at making things harder for attackers. If an attacker already has access to your userPassword field, then they can do exactly the same procedure that you proposed I do to extract that information. This sort of "security feature" doesn't make it substantively harder for attackers. It makes it irritating for systems administrators. Yes, I *could* write a script to do what you propose. But, I have a database engine that I ought to be able to query to give me the information I need, and I don't want to have to write a script every time I need to query information from a handful of special attributes while not having to do so to search by last name or whatever.
At the very least, this ought to be an option. I can see not making a search index on userPassword by default, but as a system administrator I ought to be able to make that decision for myself. I don't need a person who has absolutely no context about my situation telling me that I can't use my copy of the software to do something I want to do with my data.
Also, why are there some other things that can't be searched via substring (like homeDirectory)? What if I want to know which users are using bash because we're thinking about upgrading it and want to notify those users? Or what if I want to know which users are using /usr/local/bin/bash instead of /bin/bash so that I can update the database to be consistent?
--
Tim Gustafson tjg@ucsc.edu 831-459-5354 Baskin Engineering, Room 313A