Note that the key as to whether it's base64 encoded is the double colon -- userPassword:: ijlkci0ij297clkjljk
In addition to Dan's technique, in a Linux (and perhaps other nixes) shell you can: echo " ijlkci0ij297clkjljk " | base 64 -d ________________________________________ From: openldap-technical [[email protected]] on behalf of Dan White [[email protected]] Sent: Thursday, September 03, 2015 2:07 PM To: Chuck Theobald Cc: [email protected] Subject: Re: Change userPassword On 09/03/15 10:54 -0700, Chuck Theobald wrote: >I am finding it impossible to set user passwords to the form >{SASL}[email protected] > >ldapmodify can delete userPassword, and can add it again but ends of >setting it to a hash despite trying password-hash {CLEARTEXT} and >password-hash {SASL} in slapd.conf. And no, I am not using slapd.d. By hash, I assume you mean base64 encoding, which is how ldapsearch displays contents of userPassword when retrieved. uudecode the contents to see the actual data. Here's a simple perl script I use: #!/usr/bin/perl use MIME::Base64; print decode_base64($ARGV[0]); print "\n"; If you are actually retrieving a crypt(3) style hash, verify you are not running ldapmodify with an extention (-E) and that you are not doing something strange with an overlay. password-hash should only come into play when performing an ldap password extended operation, such as with ldappasswd. >Every post I find taunts me with things like "oh, set the userpassword >to {SASL}<[email protected]> and it will Just Work". This simple step >eludes me. I am seriously missing some thing quit easy. -- Dan White
