Thanks All, This has removed the decode error and cleaned up the script. Regrouping internally on remaining auth issues. Regards,Nick -------- Original message --------From: Ryan Tandy <[email protected]> Date: 1/22/19 10:22 PM (GMT-07:00) To: Lucio De Re <[email protected]>, Nicholas Carl <[email protected]> Cc: [email protected] Subject: Re: Copying SSHA userPassword from Oracle to OpenLDAP On Wed, Jan 23, 2019 at 06:15:47AM +0200, Lucio De Re wrote: >> $ ldapsearch -h openLDAPServer -D - -w - "uid=-" | grep ^userPassword >> >> userPassword:: >> e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ= >> >I also get an invalid input. Little wonder it doesn't work: > >$ echo 'e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ=' >| base64 -d >{SSHA}KxMAUhDf4cFLUwUDFPoUC0SoDWQoG6NsKE5YQg==base64: invalid input > >It's not what you want, is it? > >$ echo '{SSHA}KxMAUhDf4cFLUwUDFPoUC0SoDWQoG6NsKE5YQg==' | base64 >e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQo= > >Was that "o" near the end a cut-n-paste error?
I suspect the LDIF output was line-wrapped and grep only captured the first line. $ ldapsearch -LLL [...] -b cn=test,dc=example,dc=com userPassword Enter LDAP Password: dn: cn=test,dc=example,dc=com userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ= = $ ldapsearch -LLL -o ldif-wrap=no [...] -b cn=test,dc=example,dc=com userPassword Enter LDAP Password: dn: cn=test,dc=example,dc=com userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ== OpenLDAP ldapmodify(1) prevents me from adding the invalid one: $ ldapmodify [...] Enter LDAP Password: dn: cn=test,dc=example,dc=com changetype: modify replace: userPassword userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ= ldapmodify: invalid format (line 3) entry: "cn=test,dc=example,dc=com" Nicholas: OpenLDAP ldapsearch(1) has '-o ldif-wrap=no' which can help avoid this problem, as shown above. Otherwise you can filter the LDIF through another command to unwrap the lines first, for example: $ ldapsearch -LLL [...] -b cn=test,dc=example,dc=com userPassword | perl -p0e 's/\n //g' | grep ^userPassword: Enter LDAP Password: userPassword:: e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQ== Of course you should also request specific attributes on the ldapsearch command line, rather than get all of them and grep for the single one you want. hope that helps, Ryan
