Hi Problem Statement: If I have the following ldif executed by Directory Manager: dn: uid=jsmith,ou=People,dc=mycompany changetype: modify replace: userPassword userPassword: 5A80f5A80FFE3A51BA71A0014F88F0204995334D9849DC02E1A7E06dd171 This will get transmitted in clear text (via ssl, if enabled) to the server if done remotely and will be subject to any password policy set. If however the ldif looks like: dn: uid=smith,ou=People,dc=mycompany changetype: modify replace: userPassword userPassword: {SSHA}Jvze3knNF165Msadf1vfLJTuhKm9wHoRt It is not subject to the password policy and stil gets changed. doing a ldapsearch will show the following: # jsmith, People, mycompany dn: uid=jsmith,ou=People,dc=mycompany uid: jsmith cn: John Smith userPassword:: e1NTSEF9SnZ6ZTNrbk5GMTY1TU10MXZ5TEoyVHVoS205d0hvUnQ= Questions: Is the difference in behaviour when using a clear text password as opposed to a {SSHA} password intentional? Granted that it gets executed as Directory Manager. Is there any way apart from looking at : dn: cn=config passwordStorageScheme: ssha to determine what the encryption will be. Or put differently how can I be sure that the string I am seeing has been properly encrypted according the set standard? Best Regards ________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. ________________________________________________________________________