The global/default password hashing algorithm is stored in passwordStorageScheme (cn=congi), 

# ldapsearch -x -D cn=directory\ manager -w xxxx -LLL  -b "cn=config" -s base passwordStorageScheme
dn: cn=config
passwordStorageScheme: SSHA

To find the hashing algorithm used on an existing user entry: 

# ldapsearch -LLL -x -D cn=Directory\ Manager -w xxxx  -b <base_dn> uid=luser1  userPassword

dn: uid=luser1,dc=example,dc=com
userPassword:: e1NTSEF9czNPcjAyWWhYV3laSXJCUk9tSnhYU2RnbmJyc1hFTU9BaDFxT3c9PQ==

ldapsearch encodes 'userPassword' attribute by default, decode it and check the {first portion} to get the algorithm used.

# echo e1NTSEF9czNPcjAyWWhYV3laSXJCUk9tSnhYU2RnbmJyc1hFTU9BaDFxT3c9PQ==|base64 -d


On Sat, Jan 11, 2014 at 5:47 PM, Elizabeth Jones <> wrote:
Is there an ldap command that I can use to determine what encryption is
being used for the passwords in my 389 DS?

Elizabeth J

389 users mailing list