ldap tools using -y for password file

Discuss the problems related to use of an open source implementation of the Lightweight Directory Access Protocol on OpenVMS.
Post Reply
User avatar

Topic author
dave669
Newbie
Posts: 3
Joined: Wed Apr 01, 2020 9:00 am
Reputation: 0
Status: Offline

ldap tools using -y for password file

Post by dave669 » Wed Apr 01, 2020 10:02 am

Hi,
Awesome job on porting OpenLDAP, I really appreciate it.
I'm trying to use the ldap tools with -y to specify a file that contains the simple bind password instead of using -w to put it on the command line. I can't seem to get it to work. I thought maybe the file needed to be in a certain format but changing it to STMLF didn't seem to work for me. What is the trick or is this a bug in the ported code?
For example:

This works:

$ ldapsearch -x "-LLL" "-D" "xxxxxxxx" -w "some_pass_here" samaccountname=some_random_name title
dn: CN=some_random_name,OU=groupname,DC=domain_controller,DC=internal_group_name,DC=net
title: internal_company_position

# refldaps://some_domain_name/DC=DomainDnsZones,DC=
domain_controller,DC=internal_group_name,DC=net

But this doesn't:

$ ldapsearch -x "-LLL" "-D" "xxxxxxxx" -y ldap_passwd.txt samaccountname=some_random_name memberOf
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 52e, v2580

The password is in mixed case. I tried putting the password exactly like that in the file and even within double quotes and still no luck.

Any help would be appreciated.

Thanks,
Dave
Last edited by marty.stu on Thu Oct 27, 2022 9:24 am, edited 2 times in total.


gil
VSI Expert
Visitor
Posts: 2
Joined: Thu Apr 02, 2020 3:05 am
Reputation: 0
Status: Offline

Re: ldap tools using -y for password file

Post by gil » Thu Apr 02, 2020 3:46 am

Hello Dave,
We fixed similar problem for password files that specified as file link in ldifs. It is possible that in your case the same problem.
If it so we fix it in the nearest future.

Please check your password file info:
dir/full ldap_passwd.txt
....
Record format: VFC, 2 byte header, maximum 0 bytes, longest 5 bytes
....

If the file record format is similar to yours than it is the same problem.

Workaround for this problem is to create a file with the next record format:
Record format: Variable length, maximum 0 bytes, longest 4 bytes

Usually the VFS record format have files that were created by PIPE output redirection PIPE .... > file.txt
If you create file by edit file and if the problem that I described above it will be ok with password reading.

Regards, Eugeny

User avatar

Topic author
dave669
Newbie
Posts: 3
Joined: Wed Apr 01, 2020 9:00 am
Reputation: 0
Status: Offline

Re: ldap tools using -y for password file

Post by dave669 » Mon Apr 13, 2020 10:03 am

Hi,
Thanks for the reply. I had created the file with an editor and it now has these attributes:

File organization: Sequential
Shelved state: Online
Caching attribute: Writethrough
File attributes: Allocation: 64, Extend: 0, Global buffer count: 0, Version limit: 3
Record format: Stream_LF, maximum 0 bytes, longest 11 bytes
Record attributes: None

And it is still giving the "Invalid credentials" error...

Regards,
Dave

Added in 1 hour 10 minutes 58 seconds:
Sorry.. and this is the original file attributes that also gives the error:

File organization: Sequential
Shelved state: Online
Caching attribute: Writethrough
File attributes: Allocation: 64, Extend: 0, Global buffer count: 0, Version limit: 3
Record format: Variable length, maximum 0 bytes, longest 11 bytes
Record attributes: Carriage return carriage control
Last edited by marty.stu on Thu Oct 27, 2022 9:04 am, edited 1 time in total.


paul.nunez
VSI Expert
Contributor
Posts: 17
Joined: Tue Aug 27, 2019 11:46 am
Reputation: 0
Status: Offline

Re: ldap tools using -y for password file

Post by paul.nunez » Fri Apr 17, 2020 10:42 am

FWIW, I couldn't get the -y <pswd-filename> option to work either; tried all sorts of record formats and record attributes on the password file, but a network trace shows the password sent to the ldap server ends with either a Carriage Return character or CR/LF characters.

There may be some DECC$* feature logical name that helps, but I couldn't figure it out...


paul.nunez
VSI Expert
Contributor
Posts: 17
Joined: Tue Aug 27, 2019 11:46 am
Reputation: 0
Status: Offline

Re: ldap tools using -y for password file

Post by paul.nunez » Fri May 01, 2020 12:21 pm

In the end we found a file with a record format of Undefined and record attributes of None works with the -y option. Engineering plans to address this in a future release.

$ type undef.fdl
IDENT FDL_VERSION 02 "30-APR-2020 15:41:49 OpenVMS ANALYZE/RMS_FILE Utility"

SYSTEM
SOURCE OpenVMS

FILE
ORGANIZATION sequential

RECORD

FORMAT undefined

$ create/fdl=undef.fdl passwd.dat
$ set file/attrib=rat:none passwd.dat
$ edit/edt passwd.dat
*C
yourpassword
Ctrl/Z
*Exit

Post Reply