Re: get cleartext password with ldapsearch/slapadd

[Peter Marschall <peter@adpm.de>]

Hi,

On Friday 10 October 2003 18:48, Eulogio Robles wrote:
> I need to export the whole directory to LDIF, including the passwords on
> cleartext.
> My slapd.conf includes the {CLEARTEXT} line. However, both slapcat and
> ldapsearch print the userpassword field scrambled with base64.
> If I use an "ldapsearch" application from a IPlanet Directory server
> (which will be removed soon), the password is correctly displayed on
> cleartext.
> OpenLdap is compiled with the --enable-cleartext flag.

the value {CLEARTEXT} to the password-hash statement in slapd.conf
and the compile option --enable-cleartext have nothing to do with
the output format of ldapsearch/slapcat.

They simply control whether slapd understands cleartxt passwords 
(--enable-cleartext) or stores passwords in cleartext when given in the 
extended password change operation (password-has {CLEARTEXT}).

AFAIK ldapsearch and slapadd encode the value of the userPassword attribute
into Base64 because they consider { or } as non-printable characters.

To get back the value stored, you only need to decode the Base64-encoded
values in the LDIF file.

> Also : any field that includes some "non-english" character (like "ñ")
> is also printed on base64. Any way to avoid that?

No, this is per definition of the LDIF format.
LDIF is assumed to return 7-bit data (with the highest bit of each Byte set to 
0). To accomplish this it has to encode these values using Base64 encoding.

Peter
-- 
Peter Marschall
eMail: peter@adpm.de