Thanks Oliver!

Have the {SSHA} passwords synced but auth is still not working. Will reach out to oracle admins to make sure encryption is matching and they didnt change the password on me.

Regards,
Nick

-------- Original message --------
From: Olivier <Olivier.Nicole@cs.ait.ac.th>
Date: 1/22/19 6:43 PM (GMT-07:00)
To: Nicholas Carl <ncarl.personal@gmail.com>
Cc: openldap-technical@openldap.org
Subject: Re: Copying SSHA userPassword from Oracle to OpenLDAP

Nicholas Carl <ncarl.personal@gmail.com> writes:

> [1:text/plain Show]
>
>
> [2:text/html Hide Save:noname (11kB)]
>
> Currently doing a targeted sync of userPassword field from one LDAP to another following this
> process.
>
> 1) Query using ldapsearch and grab userPassword field.
>
> 2) Deode string using base64 –d
>
> 3) Import resultant encrypted password into other ldap using ldapmodify.
>
> This process worked when the password decoded into {crypt} format, but after they upgraded and
> changed to {SSHA} format passwords, it no longer works. Also confirmed with Oracle LDAP
> admins that the decode matches our {SSHA} string.
>
> Is there some additional configuration information I need to request from the oracle
> LDAP server administrators for server or client config in openldap?
>
> # Querying other LDAP server
>
> $ ldapsearch -h oracleServer -D - -w - -b - "uid=-" | grep ^userPassword
>
> userPassword::
> e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=
>
> $ ldapsearch -h oracleServer -D - -w - -b - "uid=-" | grep ^userPassword | base64 -d
>
> {SSHA}KxMAUhDf4cFLUwUDFPoUC0SoDWQoG6NsKE5YQg==base64: invalid input
>
> ## After importing decrypted into new server, the encrypted string matches.
>
> $ ldapsearch -h openLDAPServer -D - -w - "uid=-" | grep ^userPassword
>
> userPassword::
> e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=

With Open LDAP, the SSHA password MUST have the prefix {SSHA} before the
password string, ex:

userpassword: {SSHA}sOO2ymlVcl5RtKZnCq8moWc25cvXpaTu

If SSHA encryption is matching between Oracle and OpenLDAP, just add
that prefix and you should be OK.

Best regards,

Olivier
--