When slapd (LDAP server daemon) is configured to replicate itself to another server, on each addition/modification to the directory it will store the changes to be replicated in /var/lib/ldap/replog. This directory is world readable and entries like userPassword will be visible (although on sensible setups they will already be hashed to MD5 or SHA). slurpd will then pick the changes up, push them to the slave directory, and store them in /var/spool/slurpd/replica/slurpd.replog, which is a complete log of changes applied by slurpd and is world readable as well.
Am I missing something or should a bug be filed? Massimiliano
