Hi All,
I am trying and writing a script to use ldapsearch. But I want to create a password file and use the "-y" option. I am unable to figure out how to create one.
================================== ldapsearch -x -h <Machine> -p <port> -s one -D <CN> -b <BASE_DN> -y pwdfile -v "(&(cn=fm*))" cn
==================================
I tried the following.
1) I tried putting the plaintext password for <CN> in the file and it did not work.
2) I ran slappasswd to generate the hashed password for <CN> and directed the output to this file and it did not work.
3) The file permissions I tried are 700 and 600.
What is this "-y" option and am I interpreting it correctly? Is there a specific format that this file should be in?
Version Info:
================================== $ rpm -qa|egrep openldap
openldap-clients-2.2.13-12.el4
openldap-2.2.13-12.el4
openldap-devel-2.2.13-12.el4
openldap-servers-2.2.13-12.el4
$
==================================
Any help is greatly appreciated.
-Sai
At Mon, 1 Jun 2009 02:40:57 -0400, Sai wrote:
ldapsearch -x -h <Machine> -p <port> -s one -D <CN> -b <BASE_DN> -y pwdfile -v "(&(cn=fm*))" cn
The -D option takes DN, not CN.
I tried the following.
I tried putting the plaintext password for <CN> in the file and itdid not work.
If the pwdfile contains LF (\x0a) or others, strip it. OpenLDAP ldap* commands use the entire contents in a pwdfile. I think this is a bad design...
Try:
$ (umask 0077; echo -n "DN's password" >pwdfile) $
or:
$ tr -d '\n' <pwdfile \ |ldapsearch -x -h <Machine> -p <port> -s one -D <DN> -b <BASE_DN> -y /dev/stdin
IIRC, older OpenLDAP ldap* commands cannot use /dev/stdin for the -y option.
Oops...
At Mon, 01 Jun 2009 22:07:46 +0900, SATOH Fumiyasu wrote:
If the pwdfile contains LF (\x0a) or others, strip it. OpenLDAP ldap* commands use the entire contents in a pwdfile. I think this is a bad design...
Try:
$ (umask 0077; echo -n "DN's password" >pwdfile) $
$ ldapsearch -x -h <Machine> -p <port> -s one -D <DN> -b <BASE_DN> -y pwdfile
or:
$ tr -d '\n' <pwdfile \ |ldapsearch -x -h <Machine> -p <port> -s one -D <DN> -b <BASE_DN> -y /dev/stdin
IIRC, older OpenLDAP ldap* commands cannot use /dev/stdin for the -y option.
Hi Fumiyasu,
That worked. I was thinking of the extra lines at the end but I was not thinking about the line end characters.
Thanks Once again.
I suppose it should only contain plain text and not any encrypted / hashed form? I tried the hashed form generated by slappasswd but in vain.
If you think there is any other option, please let me know.
-To love is to risk not being loved in return. To hope is to risk pain. To try is to risk failure, but risk must be taken because the greatest hazard in life is to risk nothing.
Thanks,
-Sai
-----Original Message----- From: SATOH Fumiyasu [mailto:fumiyas@osstech.jp] Sent: Monday, June 01, 2009 9:10 AM To: Sai; openldap-technical@openldap.org Subject: Re: using -y option for ldapsearch
Oops...
At Mon, 01 Jun 2009 22:07:46 +0900, SATOH Fumiyasu wrote:
If the pwdfile contains LF (\x0a) or others, strip it. OpenLDAP ldap* commands use the entire contents in a pwdfile. I think this is a bad design...
Try:
$ (umask 0077; echo -n "DN's password" >pwdfile) $
$ ldapsearch -x -h <Machine> -p <port> -s one -D <DN> -b <BASE_DN> -y pwdfile
or:
$ tr -d '\n' <pwdfile \ |ldapsearch -x -h <Machine> -p <port> -s one -D <DN> -b <BASE_DN> -y
/dev/stdin
IIRC, older OpenLDAP ldap* commands cannot use /dev/stdin for the -y option.
openldap-technical@openldap.org
-
Sai -
SATOH Fumiyasu