Currently doing a targeted sync of userPassword field from one LDAP to another following this process.
1) Query using ldapsearch and grab userPassword field.
2) Deode string using base64 –d
3) Import resultant encrypted password into other ldap using ldapmodify.
This process worked when the password decoded into {crypt} format, but after they upgraded and changed to {SSHA} format passwords, it no longer works. Also confirmed with Oracle LDAP admins that the decode matches our {SSHA} string.
*Is there some additional configuration information I need to request from the oracle LDAP server administrators for server or client config in openldap?*
# Querying other LDAP server
$ ldapsearch -h oracleServer -D - -w - -b - "uid=-" | grep ^userPassword
userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=
$ ldapsearch -h oracleServer -D - -w - -b - "uid=-" | grep ^userPassword | base64 -d
{SSHA}KxMAUhDf4cFLUwUDFPoUC0SoDWQoG6NsKE5YQg==base64: invalid input
## After importing decrypted into new server, the encrypted string matches.
$ ldapsearch -h openLDAPServer -D - -w - "uid=-" | grep ^userPassword
userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=
Nicholas Carl ncarl.personal@gmail.com writes:
[1:text/plain Show]
[2:text/html Hide Save:noname (11kB)]
Currently doing a targeted sync of userPassword field from one LDAP to another following this process.
Query using ldapsearch and grab userPassword field.
Deode string using base64 –d
Import resultant encrypted password into other ldap using ldapmodify.
This process worked when the password decoded into {crypt} format, but after they upgraded and changed to {SSHA} format passwords, it no longer works. Also confirmed with Oracle LDAP admins that the decode matches our {SSHA} string.
Is there some additional configuration information I need to request from the oracle LDAP server administrators for server or client config in openldap?
# Querying other LDAP server
$ ldapsearch -h oracleServer -D - -w - -b - "uid=-" | grep ^userPassword
userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=
$ ldapsearch -h oracleServer -D - -w - -b - "uid=-" | grep ^userPassword | base64 -d
{SSHA}KxMAUhDf4cFLUwUDFPoUC0SoDWQoG6NsKE5YQg==base64: invalid input
## After importing decrypted into new server, the encrypted string matches.
$ ldapsearch -h openLDAPServer -D - -w - "uid=-" | grep ^userPassword
userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=
With Open LDAP, the SSHA password MUST have the prefix {SSHA} before the password string, ex:
userpassword: {SSHA}sOO2ymlVcl5RtKZnCq8moWc25cvXpaTu
If SSHA encryption is matching between Oracle and OpenLDAP, just add that prefix and you should be OK.
Best regards,
Olivier
--On Wednesday, January 23, 2019 8:43 AM +0700 Olivier Olivier.Nicole@cs.ait.ac.th wrote:
With Open LDAP, the SSHA password MUST have the prefix {SSHA} before the password string, ex:
userpassword: {SSHA}sOO2ymlVcl5RtKZnCq8moWc25cvXpaTu
Which the decoded value already has. In the past, just using the value "as-is" from Oracle has worked for me, so not clear to me why they are hitting any issue.
mime-decode e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ= '{SSHA}KxMAUhDf4cFLUwUDFPoUC0SoDWQoG6NsKE5YQg=='
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Thanks Oliver! Have the {SSHA} passwords synced but auth is still not working. Will reach out to oracle admins to make sure encryption is matching and they didnt change the password on me. Regards,Nick -------- Original message --------From: Olivier Olivier.Nicole@cs.ait.ac.th Date: 1/22/19 6:43 PM (GMT-07:00) To: Nicholas Carl ncarl.personal@gmail.com Cc: openldap-technical@openldap.org Subject: Re: Copying SSHA userPassword from Oracle to OpenLDAP Nicholas Carl ncarl.personal@gmail.com writes:
[1:text/plain Show]
[2:text/html Hide Save:noname (11kB)]
Currently doing a targeted sync of userPassword field from one LDAP to another following this process.
Query using ldapsearch and grab userPassword field.
Deode string using base64 –d
Import resultant encrypted password into other ldap using ldapmodify.
This process worked when the password decoded into {crypt} format, but after they upgraded and changed to {SSHA} format passwords, it no longer works. Also confirmed with Oracle LDAP admins that the decode matches our {SSHA} string.
Is there some additional configuration information I need to request from the oracle LDAP server administrators for server or client config in openldap?
# Querying other LDAP server
$ ldapsearch -h oracleServer -D - -w - -b - "uid=-" | grep ^userPassword
userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=
$ ldapsearch -h oracleServer -D - -w - -b - "uid=-" | grep ^userPassword | base64 -d
{SSHA}KxMAUhDf4cFLUwUDFPoUC0SoDWQoG6NsKE5YQg==base64: invalid input
## After importing decrypted into new server, the encrypted string matches.
$ ldapsearch -h openLDAPServer -D - -w - "uid=-" | grep ^userPassword
userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=
With Open LDAP, the SSHA password MUST have the prefix {SSHA} before the password string, ex:
userpassword: {SSHA}sOO2ymlVcl5RtKZnCq8moWc25cvXpaTu
If SSHA encryption is matching between Oracle and OpenLDAP, just add that prefix and you should be OK.
Best regards,
Olivier
On 1/22/19, Nicholas Carl ncarl.personal@gmail.com wrote:
# Querying other LDAP server
$ ldapsearch -h oracleServer -D - -w - -b - "uid=-" | grep ^userPassword
userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=
$ ldapsearch -h oracleServer -D - -w - -b - "uid=-" | grep ^userPassword | base64 -d
{SSHA}KxMAUhDf4cFLUwUDFPoUC0SoDWQoG6NsKE5YQg==base64: invalid input
## After importing decrypted into new server, the encrypted string matches.
$ ldapsearch -h openLDAPServer -D - -w - "uid=-" | grep ^userPassword
userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=
I also get an invalid input. Little wonder it doesn't work:
$ echo 'e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=' | base64 -d {SSHA}KxMAUhDf4cFLUwUDFPoUC0SoDWQoG6NsKE5YQg==base64: invalid input
It's not what you want, is it?
$ echo '{SSHA}KxMAUhDf4cFLUwUDFPoUC0SoDWQoG6NsKE5YQg==' | base64 e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQo=
Was that "o" near the end a cut-n-paste error?
On Wed, Jan 23, 2019 at 06:15:47AM +0200, Lucio De Re wrote:
$ ldapsearch -h openLDAPServer -D - -w - "uid=-" | grep ^userPassword
userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=
I also get an invalid input. Little wonder it doesn't work:
$ echo 'e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=' | base64 -d {SSHA}KxMAUhDf4cFLUwUDFPoUC0SoDWQoG6NsKE5YQg==base64: invalid input
It's not what you want, is it?
$ echo '{SSHA}KxMAUhDf4cFLUwUDFPoUC0SoDWQoG6NsKE5YQg==' | base64 e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQo=
Was that "o" near the end a cut-n-paste error?
I suspect the LDIF output was line-wrapped and grep only captured the first line.
$ ldapsearch -LLL [...] -b cn=test,dc=example,dc=com userPassword Enter LDAP Password: dn: cn=test,dc=example,dc=com userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ= =
$ ldapsearch -LLL -o ldif-wrap=no [...] -b cn=test,dc=example,dc=com userPassword Enter LDAP Password: dn: cn=test,dc=example,dc=com userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ==
OpenLDAP ldapmodify(1) prevents me from adding the invalid one:
$ ldapmodify [...] Enter LDAP Password: dn: cn=test,dc=example,dc=com changetype: modify replace: userPassword userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=
ldapmodify: invalid format (line 3) entry: "cn=test,dc=example,dc=com"
Nicholas: OpenLDAP ldapsearch(1) has '-o ldif-wrap=no' which can help avoid this problem, as shown above. Otherwise you can filter the LDIF through another command to unwrap the lines first, for example:
$ ldapsearch -LLL [...] -b cn=test,dc=example,dc=com userPassword | perl -p0e 's/\n //g' | grep ^userPassword: Enter LDAP Password: userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ==
Of course you should also request specific attributes on the ldapsearch command line, rather than get all of them and grep for the single one you want.
hope that helps, Ryan
Thanks All, This has removed the decode error and cleaned up the script. Regrouping internally on remaining auth issues. Regards,Nick -------- Original message --------From: Ryan Tandy ryan@nardis.ca Date: 1/22/19 10:22 PM (GMT-07:00) To: Lucio De Re lucio.dere@gmail.com, Nicholas Carl ncarl.personal@gmail.com Cc: openldap-technical@openldap.org Subject: Re: Copying SSHA userPassword from Oracle to OpenLDAP On Wed, Jan 23, 2019 at 06:15:47AM +0200, Lucio De Re wrote:
$ ldapsearch -h openLDAPServer -D - -w - "uid=-" | grep ^userPassword
userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=
I also get an invalid input. Little wonder it doesn't work:
$ echo 'e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=' | base64 -d {SSHA}KxMAUhDf4cFLUwUDFPoUC0SoDWQoG6NsKE5YQg==base64: invalid input
It's not what you want, is it?
$ echo '{SSHA}KxMAUhDf4cFLUwUDFPoUC0SoDWQoG6NsKE5YQg==' | base64 e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQo=
Was that "o" near the end a cut-n-paste error?
I suspect the LDIF output was line-wrapped and grep only captured the first line.
$ ldapsearch -LLL [...] -b cn=test,dc=example,dc=com userPassword Enter LDAP Password: dn: cn=test,dc=example,dc=com userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ= =
$ ldapsearch -LLL -o ldif-wrap=no [...] -b cn=test,dc=example,dc=com userPassword Enter LDAP Password: dn: cn=test,dc=example,dc=com userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ==
OpenLDAP ldapmodify(1) prevents me from adding the invalid one:
$ ldapmodify [...] Enter LDAP Password: dn: cn=test,dc=example,dc=com changetype: modify replace: userPassword userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=
ldapmodify: invalid format (line 3) entry: "cn=test,dc=example,dc=com"
Nicholas: OpenLDAP ldapsearch(1) has '-o ldif-wrap=no' which can help avoid this problem, as shown above. Otherwise you can filter the LDIF through another command to unwrap the lines first, for example:
$ ldapsearch -LLL [...] -b cn=test,dc=example,dc=com userPassword | perl -p0e 's/\n //g' | grep ^userPassword: Enter LDAP Password: userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ==
Of course you should also request specific attributes on the ldapsearch command line, rather than get all of them and grep for the single one you want.
hope that helps, Ryan
openldap-technical@openldap.org
-
Lucio De Re -
ncarl.personal -
Nicholas Carl
-
Olivier -
Quanah Gibson-Mount -
Ryan Tandy