[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Copying SSHA userPassword from Oracle to OpenLDAP



Thanks All,

This has removed the decode error and cleaned up the script. Regrouping internally on remaining auth issues.

Regards,
Nick

-------- Original message --------
From: Ryan Tandy <ryan@nardis.ca>
Date: 1/22/19 10:22 PM (GMT-07:00)
To: Lucio De Re <lucio.dere@gmail.com>, Nicholas Carl <ncarl.personal@gmail.com>
Cc: openldap-technical@openldap.org
Subject: Re: Copying SSHA userPassword from Oracle to OpenLDAP

On Wed, Jan 23, 2019 at 06:15:47AM +0200, Lucio De Re wrote:
>> $ ldapsearch -h openLDAPServer -D - -w - "uid=-" | grep ^userPassword
>>
>> userPassword::
>> e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=
>>
>I also get an invalid input. Little wonder it doesn't work:
>
>$ echo 'e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ='
>| base64 -d
>{SSHA}KxMAUhDf4cFLUwUDFPoUC0SoDWQoG6NsKE5YQg==base64: invalid input
>
>It's not what you want, is it?
>
>$ echo '{SSHA}KxMAUhDf4cFLUwUDFPoUC0SoDWQoG6NsKE5YQg==' | base64
>e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQo=
>
>Was that "o" near the end a cut-n-paste error?

I suspect the LDIF output was line-wrapped and grep only captured the
first line.

$ ldapsearch -LLL [...] -b cn=test,dc=example,dc=com userPassword
Enter LDAP Password:
dn: cn=test,dc=example,dc=com
userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=
=

$ ldapsearch -LLL -o ldif-wrap=no [...] -b cn=test,dc=example,dc=com userPassword
Enter LDAP Password:
dn: cn=test,dc=example,dc=com
userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ==

OpenLDAP ldapmodify(1) prevents me from adding the invalid one:

$ ldapmodify [...]
Enter LDAP Password:
dn: cn=test,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=

ldapmodify: invalid format (line 3) entry: "cn=test,dc=example,dc=com"

Nicholas: OpenLDAP ldapsearch(1) has '-o ldif-wrap=no' which can help
avoid this problem, as shown above. Otherwise you can filter the LDIF
through another command to unwrap the lines first, for example:

$ ldapsearch -LLL [...] -b cn=test,dc=example,dc=com userPassword | perl -p0e 's/\n //g' | grep ^userPassword:
Enter LDAP Password:
userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ==

Of course you should also request specific attributes on the ldapsearch
command line, rather than get all of them and grep for the single one
you want.

hope that helps,
Ryan