[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Double colon in LDIF



rob fielding writes:
> cisSetting:: Ym0ubmV3QGRl
> userPassword:: eXZxZDJkbHk=
> dn:: AGNuPWRzdnIwMDAwLG91PUF

In LDIF format, this is a valid representation of attribute values.
The '::' means that the following value is base64-encoded in the file.
(It is not so encoded in the directory; the client which reads the
value must base64-decode it before using it.)

If you are parsing LDIF files "by hand", you also need to know that a
line which starts with a space is a continuation of the previous line.
Remove 1 space at the beginning of continuation lines and append them
to the previous line.

LDIF format is described in RFC 2849, which is included in doc/rfc/ in
OpenLDAP.

> Things to note: *all* userPassword entries are double colon entries in
> the LDIF - they are infact plaintext at this point, visible in gq.

Good.  Applications should try to avoid displaying plaintext passwords.
While base64 is easy to "decrypt", at least the password can't be seen
at a glance.

-- 
Hallvard