How to check ldap password storage policy

How do I check how passwords are stored in a local running OpenLDAP server? I would prefer some sort of query that will state the used configuration. Alternatively, accessing the stored passwords to see that they are encrypted would also be acceptable. Just checking the config file is not sufficient.

I have listed the users with their passwords using ldapsearch

ldapsearch -x -b ou=people -H ldap://127.0.0.1 -D cn=admin -w <password>

and the passwords are not listed in clear text, but does that really confirm they are not stored in clear text, or do ldapsearch encrypt them before returning results?


I have listed the users with their passwords using ldapsearch and the passwords are not listed in clear text, but does that really confirm they are not stored in clear text?

Yes, no, maybe.

I think ldapsearch and for example a password policy overlay do not replace stored clear text passwords with an encrypted or hashed version in search responses. Encryption/hashing of cleartext passwords only occurs when passwords are set/updated. I think that in that regard you can trust what ldapsearch shows you.

But both ldapsearch and slapcat display userPassword in base64-encoded format. A double colon :: after the attribute name is used to indicate that the value is base64-encoded.

 userPassword:: c2VjcmV0LXBhc3N3b3JkCg==
 userPassword:: e1NTSEF9RGtNVHdCbCthLzNEUVR4Q1lFQXBkVXROWEdnZFVhYzMK

You won't actually know until you decode that base64 character string if the password is hashed or clear text. If you find only passwords in the form of {hash prefix}salt/value:

 userPassword: {SSHA}DkMTwBl+a/3DQTxCYEApdUtNXGgdUac3
 userPassword: {SSHA}d0Q0626PSH9VUld7yWpR0k6BlpQmtczb
 userPassword: {CRYPT}$1$czBJdDqS$TmkzUAb836oMxg/BmIwN.1
 userPassword: {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==
 userPassword: {SMD5}4QWGWZpj9GCmfuqEvm8HtZhZS6E=

then you're good. Passwords without such a prefix are plain text.

Just checking the config file is not sufficient.

Indeed. When the password hashing/encryption is enabled/changed neither existing clear text passwords nor existing passwords encrypted with different algorithms are converted.
As far as I'm aware after changing the default password policy existing clear text and passwords hashed with other algorithms will also not stop working either, the ldap daemon simply iterates through all supported mechanisms whenever an authentication request is made.

To inspect the contents of the actual stored data in OpenLDAP the easiest is probably exporting the database to a readable LDIF format with slapcat ; extract all userPassword attribute values from that LDIF and base64 decode them.