Hello, Wes.
I'm not a programmer by any stretch of the imagination but it appears to me that the LDIF generator is hard-coded to always base64-encode the userPassword value.
Yes, looks you're right.
I don't see any justification in the file for doing so, but the RFC says any value MAY be encoded. I think Michael's advice is very prudent.
MAY be encoded, yes. This means that ldapsearch or slapcat can output all values base-64 encoded. But it's very inconvenient. When userPassword is a link to another authenticator base-64 encoding is also inconvenient. -- sergio.