How to enable Hash Passwords in OpenLDAP

By default;  OpenLDAP does not hash the password by itself. If LDAP client sends a plain text value for userPassword in normal add/modify LDAP operation, OpenLDAP stores the userPassword as base64 encoded plain text value. Therefore; this value can be easily base64 decoded and can be retrieved the plain text password. So, LDAP client must hash the password and send it in add/modify operations.

However; OpenLDAP has an overlay (module) which supports for password policy management. This overlay can be used to modify the default behavior of the OpenLDAP. It means that; when LDAP client sends a plain text password, OpenLDAP can itself hash (SSHA) the password and store it.

Let see how we can configure this overlay to achieve hash password in OpenLDAP.

Step 1. Install ppolicy overlay module. This can be easily done, when you are running the configuration of the OpenLDAP. Please check my previous post, You can configure OpenLDAP with “–enable-ppolicy “ option as following.

> ./configure --enable-ppolicy

If not, later you can install the ppolicy overlay module.

Step 2. Configure slapd.conf file to enable ppolicy overlay (In ubuntu file can be found in /usr/local/etc/openldap/slapd.conf)

Following entries have added in to the slapd.conf

#Include schema

include /usr/local/etc/openldap/schema/ppolicy.schema

# Load dynamic backend modules:


# After database definitions, You can add followings.

overlay ppolicy

Here “ppolicy_hash_cleartext”  enables the password hashing in ppolicy overlay.

Step 3. Restart the server

You can kill the server and start again.

Step 4. Testing.

Lets create new user entry. Following is the same LDIF

dn: cn=john,ou=Users,dc=soasecurity,dc=org
objectClass: person
sn: doe
cn: john
userPassword: johnldap

using ldapadd command

>ldapadd -x -D "cn=asela,dc=soasecurity,dc=org" -W -f user.ldif

if you retrieve the LDAP entry, it would be shown as following

# john, Users,
dn: cn=john,ou=Users,dc=soasecurity,dc=org
objectClass: person
sn: doe
cn: john
userPassword:: e1NTSEF9UEVKclF1THh6RU5XYnB0NUc3bTNsZmhoN0FtMkcvYmI=

If you base64 decoded the userPassword value, you will see the SSHA password.

Thanks for reading..!!!

Discuss this article on Stack Overflow


  1. hi!
    When i enable password policy and change slapd.conf file. server is not started and this error occur when we add user.ldif file
    ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)

Leave a Reply

Your email address will not be published. Required fields are marked *