Why is ldapsearch returning garbled attribute values with a double colan (::) before the value?

Document ID : KB000052860
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

I have several cases where ldapsearch is returning "garbled" attribute values:
In this case the mail and userPassword attribute values are incorrect. For example:

version: 1

dn: uid=wang,ou=Users,dc=neteauto,dc=com 
objectClass: top 
objectClass: person 
objectClass: organizationalPerson 
objectClass: inetOrgPerson 
objectClass: IDMPerson 
mail:: V2hpdG5leS5ILldhbmdAZ3NrLmNvbSA=       
userPassword:: e1NIQX0vcHhuaEJyRHhDdmlKR1p0NUkyOXJ3VHBxV0E9 

Notice the double colan (::) before the values. When this problem occurs there
is always a double colon by the attribute. When I view these from JXplorer the values are correct, but when I dump the
values using an ldapsearch or from JXplorer using an LDIF dump the values are incorrect. This problem also frequently occurs on users with accent characters.

Solution:

The data is not not "garbled" just encoded. The values in your LDIF where a double colon "::" follows the attribute name means that the value is a Base64 encoded value.

The LDIF spec rfc2849 describes use of Base64 encoded values:
http://www.ietf.org/rfc/rfc2849.txt

There are online Base64 Encoders/Decoders such as below that can be used to decode your attribute values:
http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/
http://www.opinionatedgeek.com/dotnet/tools/Base64Encode/

After running these values through the decoder, you may find the values show that they all have a trailing whitespace and Per rfc2849, values or distinguished names that end with SPACE SHOULD be base-64 encoded. If your values have accent characters then they will also be Base64 encoded.