Authenticating passwords against an LDAP

I am a bit confused as to where passwords are stored within an LDAP. Many applications, eg. AD, seem to store passwords to allow users to log onto apps or computers. However, AD is open and can u开发者_如何学Csually be viewed by anyone. So, where is the password? Can I pull passwords out of an LDAP?

AD stroes the password in an attribute called unicodepwd. This is a one way hash. Even if you can view it,you can not retrieve the password. Also this attribute can not be viewed with regular ldap searches. You have to use ldapi interface to retrieve it. Which means you have to be on the local machine.