You are probably
binding anonymously to the LDAP-server. userPassword's are special in that not everybody can read all userPassword attributes.
So, like you "code" says ("by anonymous auth"), you can only
authenticate as a non-anonymous user to the LDAP-server. You will then be able to see your
own (encrypted) userPassword. Only the LDAP-server's "root" (which can be any CN within your directory) can read
all userPassword's. Such an account can be specified within
slapd.conf with:
Code:
rootdn "cn=admin,dc=yourdomain"
rootpw = secret
or better, encrypt this special password with: slappasswd -h '{MD5}'
Code:
rootdn "cn=admin,dc=yourdomain"
rootpw = {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==
You could probably configure access-rules to give everybody (maybe including anonymous users) read-access to the userPassword attributes, but that's certainly
not recommended! (if at all possible).
I suggest these ACL's (
Access
Control
List):
Code:
access to attribute=userPassword
by dn="cn=admin,dc=nodomain" write
by anonymous auth
by self write
by * none
access to *
by dn="cn=admin,dc=nodomain" write
by * read
and then not have the "rootdn" and "rootpw" lines in slapd.conf.