Nicholas Carl ncarl.personal@gmail.com writes:
[1:text/plain Show]
[2:text/html Hide Save:noname (11kB)]
Currently doing a targeted sync of userPassword field from one LDAP to another following this process.
Query using ldapsearch and grab userPassword field.
Deode string using base64 –d
Import resultant encrypted password into other ldap using ldapmodify.
This process worked when the password decoded into {crypt} format, but after they upgraded and changed to {SSHA} format passwords, it no longer works. Also confirmed with Oracle LDAP admins that the decode matches our {SSHA} string.
Is there some additional configuration information I need to request from the oracle LDAP server administrators for server or client config in openldap?
# Querying other LDAP server
$ ldapsearch -h oracleServer -D - -w - -b - "uid=-" | grep ^userPassword
userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=
$ ldapsearch -h oracleServer -D - -w - -b - "uid=-" | grep ^userPassword | base64 -d
{SSHA}KxMAUhDf4cFLUwUDFPoUC0SoDWQoG6NsKE5YQg==base64: invalid input
## After importing decrypted into new server, the encrypted string matches.
$ ldapsearch -h openLDAPServer -D - -w - "uid=-" | grep ^userPassword
userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=
With Open LDAP, the SSHA password MUST have the prefix {SSHA} before the password string, ex:
userpassword: {SSHA}sOO2ymlVcl5RtKZnCq8moWc25cvXpaTu
If SSHA encryption is matching between Oracle and OpenLDAP, just add that prefix and you should be OK.
Best regards,
Olivier