[lsc-users] Decrypting AES Password from Oracle Unified Directory (OpenDS-based LDAP)

Thu, 14 Jan 2016 19:36:07 -0800 

Hi All,

I just given a task to synchronize user accounts from OUD to MSAD. Since
Oracle's own synchronization tool (Oracle Directory Integration Platform)
currenty does not support password synchronization from OUD to MSAD, I
googled for alternatives and found LSC instead. I have to say that this
tool is so simple yet powerful and sufficient for my needs.

However I'm still struggling in synchronizing passwords from OUD to MSAD. I
have tested the password generated in MSAD and have no issue using
AD.getUnicodePwd(), it works. But I'm still failed to decrypt the
userPassword attribute from the source OUD. I have switched the password
storage scheme to AES-128 and regenerate the userPassword to force
encryption instead of hashing. I have also found the encryption keys from
the server and put it on lsc.key file.

ERROR - Error while synchronizing ID {cn=okky}:
org.lsc.exception.LscServiceException: javax.script.ScriptException:
sun.org.mozilla.javascript.internal.WrappedException: Wrapped
javax.crypto.IllegalBlockSizeException: Input length must be multiple of 16
when decrypting with padded cipher (<Unknown source>#5) in <Unknown source>
at line number 5

1. I think it tells me to padd the source userPassword before decrypting.
How can I do that in LSC script?

2. The userPassword in the source is {AES}$sometextEndedWith==, do I have
to pass all the text or only the $sometextEndedWith== to LSC?

3. I found the encryption keys under cn=admin data like this, what values
should I put inside the lsc.key?

dn: ds-cfg-key-id=$configIdString,cn=secret keys,cn=admin data
ds-cfg-key-length-bits: 128
ds-cfg-initialization-vector-length-bits: 128
ds-cfg-key-id: $configIdString
ds-cfg-symmetric-key: $someString:RSA/ECB/OAEPWITHSHA-1ANDM
 GF1PADDING:AES:$soManyString
objectClass: top
objectClass: ds-cfg-cipher-key
ds-cfg-cipher-transformation-name: AES/CFB/NoPadding


Thank you.
Best regards,
Okky Hendriansyah

_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users

Reply via email to