Nicholas Carl <[email protected]> writes:
> [1:text/plain Show]
>
>
> [2:text/html Hide Save:noname (11kB)]
>
> Currently doing a targeted sync of userPassword field from one LDAP to
> another following this
> process.
>
> 1) Query using ldapsearch and grab userPassword field.
>
> 2) Deode string using base64 –d
>
> 3) Import resultant encrypted password into other ldap using ldapmodify.
>
> This process worked when the password decoded into {crypt} format, but after
> they upgraded and
> changed to {SSHA} format passwords, it no longer works. Also confirmed with
> Oracle LDAP
> admins that the decode matches our {SSHA} string.
>
> Is there some additional configuration information I need to request from the
> oracle
> LDAP server administrators for server or client config in openldap?
>
> # Querying other LDAP server
>
> $ ldapsearch -h oracleServer -D - -w - -b - "uid=-" | grep ^userPassword
>
> userPassword::
> e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=
>
> $ ldapsearch -h oracleServer -D - -w - -b - "uid=-" | grep ^userPassword |
> base64 -d
>
> {SSHA}KxMAUhDf4cFLUwUDFPoUC0SoDWQoG6NsKE5YQg==base64: invalid input
>
> ## After importing decrypted into new server, the encrypted string matches.
>
> $ ldapsearch -h openLDAPServer -D - -w - "uid=-" | grep ^userPassword
>
> userPassword::
> e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=
With Open LDAP, the SSHA password MUST have the prefix {SSHA} before the
password string, ex:
userpassword: {SSHA}sOO2ymlVcl5RtKZnCq8moWc25cvXpaTu
If SSHA encryption is matching between Oracle and OpenLDAP, just add
that prefix and you should be OK.
Best regards,
Olivier
--
