Re: [lsc-users] Decrypting AES Password from Oracle Unified Directory (OpenDS-based LDAP)

Fri, 15 Jan 2016 02:45:07 -0800 


Le 15/01/2016 04:35, Okky Hendriansyah a écrit :

Hi All,


Hi,




I just given a task to synchronize user accounts from OUD to MSAD. 
Since Oracle's own synchronization tool (Oracle Directory Integration 
Platform) currenty does not support password synchronization from OUD 
to MSAD, I googled for alternatives and found LSC instead. I have to 
say that this tool is so simple yet powerful and sufficient for my needs.


Great!




However I'm still struggling in synchronizing passwords from OUD to 
MSAD. I have tested the password generated in MSAD and have no issue 
using AD.getUnicodePwd(), it works. But I'm still failed to decrypt 
the userPassword attribute from the source OUD. I have switched the 
password storage scheme to AES-128 and regenerate the userPassword to 
force encryption instead of hashing. I have also found the encryption 
keys from the server and put it on lsc.key file.



ERROR - Error while synchronizing ID {cn=okky}: 
org.lsc.exception.LscServiceException: javax.script.ScriptException: 
sun.org.mozilla.javascript.internal.WrappedException: Wrapped 
javax.crypto.IllegalBlockSizeException: Input length must be multiple 
of 16 when decrypting with padded cipher (<Unknown source>#5) in 
<Unknown source> at line number 5



1. I think it tells me to padd the source userPassword before 
decrypting. How can I do that in LSC script?



Create a dataset for userPassword and work on the value before passing 
it to decrypt method.





2. The userPassword in the source is {AES}$sometextEndedWith==, do I 
have to pass all the text or only the $sometextEndedWith== to LSC?


You should only use the crypted value, without the {AES}




3. I found the encryption keys under cn=admin data like this, what 
values should I put inside the lsc.key?


dn: ds-cfg-key-id=$configIdString,cn=secret keys,cn=admin data
ds-cfg-key-length-bits: 128
ds-cfg-initialization-vector-length-bits: 128
ds-cfg-key-id: $configIdString
ds-cfg-symmetric-key: $someString:RSA/ECB/OAEPWITHSHA-1ANDM
 GF1PADDING:AES:$soManyString
objectClass: top
objectClass: ds-cfg-cipher-key
ds-cfg-cipher-transformation-name: AES/CFB/NoPadding




I have no idea.


--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
87, rue de Turbigo - 75003 PARIS


_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users





















					Reply via email to