The value of the element MUST be computed according to the following algorithm:
Concatenate the Stream ID received from the server with the password.
Hash the concatenated string according to the SHA1 algorithm, i.e., SHA1(concat(sid, password)).
Ensure that the hash output is in hexidecimal format, not binary or base64.
Convert the hash output to all lowercase characters.
Unless you are storing plain text passwords in LDAP, there is no way to extract the users password to match hashes. Typically, an ldap server will store the userPassword attribute as an MD5, crypt or SHA1 hash.
The best way to authenticate against an LDAP Directory is to do a bind as that user to the directory. To do that will require a plain text password passed from the client to the server to do a simple bind.
Note: This doesn’‘t mean it has to be insecure. You can connect to Jive using SSL from your client, and Jive can connect to the LDAP server using SSL also, so even though you’‘re passing a plain text password, it isn’'t sent over the wire over an unsecure channel. You can even turn off the plain socket and just have Jive listening on 5223 for SSL connections exclusively.
Perhaps once sasl authentication is implemented, and more clients support it, that will be another option.
Hope that helps,