My gut feeling is that I should reset the hashes and discard the cleartext to prevent misuse of these credentials. Is there any reason not to do this?
You have a few options:a) Use slappasswd to generate a hash of the password rather than using a cleartext value. b) Do something like debian & redhat do, and use SASL/EXTERNAL plus a regexp map for the local "root" user to be able to be the rootdn, and have no password value set c) Or just delete it entirely. I'd suggest (a) or (b) instead, in case you ever needed elevated privileges that are not subject to ACLs.
--Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>