[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Copying SSHA userPassword from Oracle to OpenLDAP



On Wed, Jan 23, 2019 at 06:15:47AM +0200, Lucio De Re wrote:
$ ldapsearch -h openLDAPServer -D - -w - "uid=-" | grep ^userPassword

userPassword::
e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=

I also get an invalid input. Little wonder it doesn't work:

$ echo 'e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ='
| base64 -d
{SSHA}KxMAUhDf4cFLUwUDFPoUC0SoDWQoG6NsKE5YQg==base64: invalid input

It's not what you want, is it?

$ echo '{SSHA}KxMAUhDf4cFLUwUDFPoUC0SoDWQoG6NsKE5YQg==' | base64
e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQo=

Was that "o" near the end a cut-n-paste error?

I suspect the LDIF output was line-wrapped and grep only captured the first line.

$ ldapsearch -LLL [...] -b cn=test,dc=example,dc=com userPassword
Enter LDAP Password:
dn: cn=test,dc=example,dc=com
userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=
=

$ ldapsearch -LLL -o ldif-wrap=no [...] -b cn=test,dc=example,dc=com userPassword
Enter LDAP Password:
dn: cn=test,dc=example,dc=com
userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ==

OpenLDAP ldapmodify(1) prevents me from adding the invalid one:

$ ldapmodify [...]
Enter LDAP Password:
dn: cn=test,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=

ldapmodify: invalid format (line 3) entry: "cn=test,dc=example,dc=com"

Nicholas: OpenLDAP ldapsearch(1) has '-o ldif-wrap=no' which can help avoid this problem, as shown above. Otherwise you can filter the LDIF through another command to unwrap the lines first, for example:

$ ldapsearch -LLL [...] -b cn=test,dc=example,dc=com userPassword | perl -p0e 's/\n //g' | grep ^userPassword:
Enter LDAP Password:
userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ==

Of course you should also request specific attributes on the ldapsearch command line, rather than get all of them and grep for the single one you want.

hope that helps,
Ryan