OpenLdap Clear-text Password in Debug Mode

To: openldap-technical@openldap.org

Subject: OpenLdap Clear-text Password in Debug Mode

From: Rich Alford <ralford100@gmail.com>

Date: Mon, 30 Nov 2015 14:20:44 -0500

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=icDn4Mry6M+QN3uEwdMx6Xlk/gfpPI+lm2J/z4wFE40=; b=S2Jf9Nmg+S107L7MK4w9V6kOb7pDdXBgvTMXNAoQjCbV7SZ8/+emKOfrTVESBrN9KB pNCKOIRGgyvb+5sFeL3HoJO6bwhymeYxwLfjQDzc/4nLAD7PngyGv290HbVB6aWfP45V jW+6vmVKmBLFJS4Qh6ohOonxO/CVZCNHALvxYTbAJkd3wI5WgeN3gw1FrHY1nH6jTZpO VdsNoC2qWUoywanxSHu8arkABXKyYPRTsoJQZqD4PyUDXms4853fx4MdbYDaKJa0VXKr JKZJWunlyCghnkxP0kDxvq1cl14Vnw5CN1IQASLCluQ9bJZfws/HTzL9s5T0UnTzak8M +bXA==

Hi All:

I'm not sure if this issue results from my ignorance of OpenLdap, or it's not
capable of resolving. Regardless, any direction you can provide would be
greatly appreciated:

I have a basic OpenLdap installation with TLS encryption. Passwords are
hashed in the ldap directory. The user password travels from client to server
encrypted as it should, then gets unencrypted by slapd, and IF IN DEBUG MODE
gets displayed in *clear-text*. Theoretically, the password should be
hashed on the client, sent across the network, to be compared against the
hashed passwords in the database.

What am I missing??

Thank you,
Rich