diff --git a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index f07bbbfc5..21e50dbcd 100644
--- a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -1631,7 +1631,6 @@ static int ipapwd_SetPassword(struct ipapwd_data *data)
 	struct ntlm_keys ntlm;
 	int ntlm_flags = 0;
 	Slapi_Value *sambaSamAccount;
-	char *userpwd;
 
 	krberr = krb5_init_context(&krbctx);
 	if (krberr) {
@@ -1701,15 +1700,10 @@ static int ipapwd_SetPassword(struct ipapwd_data *data)
 		free(password);
 	}
 
-	/* use the default configured encoding */
-	userpwd = slapi_encode(data->password, NULL);
-	if (!userpwd) {
-		slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "failed to make userPassword hash\n");
-		ret = LDAP_OPERATIONS_ERROR;
-		goto free_and_return;
-	}
-
-	slapi_mods_add_string(smods, LDAP_MOD_REPLACE, "userPassword", userpwd);
+	/* let DS encode the password itself, this allows also other plugins to
+	 * intercept it to perform operations like synchronization with Active
+	 * Directory domains through the replication plugin */
+	slapi_mods_add_string(smods, LDAP_MOD_REPLACE, "userPassword", data->password);
 
 	/* set password history */
 	pwvals = ipapwd_setPasswordHistory(smods, data);