Thanks All, This has removed the decode error and cleaned up the script. Regrouping internally on remaining auth issues. Regards,Nick -------- Original message --------From: Ryan Tandy ryan@nardis.ca Date: 1/22/19 10:22 PM (GMT-07:00) To: Lucio De Re lucio.dere@gmail.com, Nicholas Carl ncarl.personal@gmail.com Cc: openldap-technical@openldap.org Subject: Re: Copying SSHA userPassword from Oracle to OpenLDAP On Wed, Jan 23, 2019 at 06:15:47AM +0200, Lucio De Re wrote:
$ ldapsearch -h openLDAPServer -D - -w - "uid=-" | grep ^userPassword
userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=
I also get an invalid input. Little wonder it doesn't work:
$ echo 'e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=' | base64 -d {SSHA}KxMAUhDf4cFLUwUDFPoUC0SoDWQoG6NsKE5YQg==base64: invalid input
It's not what you want, is it?
$ echo '{SSHA}KxMAUhDf4cFLUwUDFPoUC0SoDWQoG6NsKE5YQg==' | base64 e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQo=
Was that "o" near the end a cut-n-paste error?
I suspect the LDIF output was line-wrapped and grep only captured the first line.
$ ldapsearch -LLL [...] -b cn=test,dc=example,dc=com userPassword Enter LDAP Password: dn: cn=test,dc=example,dc=com userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ= =
$ ldapsearch -LLL -o ldif-wrap=no [...] -b cn=test,dc=example,dc=com userPassword Enter LDAP Password: dn: cn=test,dc=example,dc=com userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ==
OpenLDAP ldapmodify(1) prevents me from adding the invalid one:
$ ldapmodify [...] Enter LDAP Password: dn: cn=test,dc=example,dc=com changetype: modify replace: userPassword userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=
ldapmodify: invalid format (line 3) entry: "cn=test,dc=example,dc=com"
Nicholas: OpenLDAP ldapsearch(1) has '-o ldif-wrap=no' which can help avoid this problem, as shown above. Otherwise you can filter the LDIF through another command to unwrap the lines first, for example:
$ ldapsearch -LLL [...] -b cn=test,dc=example,dc=com userPassword | perl -p0e 's/\n //g' | grep ^userPassword: Enter LDAP Password: userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ==
Of course you should also request specific attributes on the ldapsearch command line, rather than get all of them and grep for the single one you want.
hope that helps, Ryan