Taking a hint from the TODO list, I ended up hacking out parts of ldapsearch and creating ldapcompare.
I can submit it, but I have a question first.
I have an access rule setup in slapd.conf so that users can't see the userPassword attribute unless they are authenticated and they are over an encrypted channel (or on localhost):
access to dn="ou=People,dc=f5,dc=com" attr=userPassword
by self ssf=128 write
by self peername="IP=127\.0\.0\.1" write
by anonymous auth
by * none
So I did a compare:
ldapcompare -D "uid=costlow,ou=People,dc=f5,dc=com" -W -x "uid=costlow,ou=People,dc=f5,dc=com" userPassword "{CRYPT}$1$asdfj$laksjdlfja"
TRUE
The above is correct, from localhost I authenticated and then was allowed to compare the userpassword value that was stored.
But when I did this:
ldapcompare "uid=costlow,ou=People,dc=f5,dc=com" userPassword "{CRYPT}$1$asdfj$laksjdlfja"
TRUE
(I even did this on a host that wasn't localhost without using -ZZ)
Seems to me like the compare in this case should not work, because I wasn't authenticated. Shouldn't that 'by * none' that's in there mean that I can't even do a compare? At least the 'by anonymous auth'? Maybe I am misunderstanding how the access rules work.