Page 1 of 1

ldap tools using -y for password file

Posted: Wed Apr 01, 2020 10:02 am
by dave669
Hi,
Awesome job on porting OpenLDAP, I really appreciate it.
I'm trying to use the ldap tools with -y to specify a file that contains the simple bind password instead of using -w to put it on the command line. I can't seem to get it to work. I thought maybe the file needed to be in a certain format but changing it to STMLF didn't seem to work for me. What is the trick or is this a bug in the ported code?
For example:

This works:

$ ldapsearch -x "-LLL" "-D" "xxxxxxxx" -w "some_pass_here" samaccountname=some_random_name title
dn: CN=some_random_name,OU=groupname,DC=domain_controller,DC=internal_group_name,DC=net
title: internal_company_position

# refldaps://some_domain_name/DC=DomainDnsZones,DC=
domain_controller,DC=internal_group_name,DC=net

But this doesn't:

$ ldapsearch -x "-LLL" "-D" "xxxxxxxx" -y ldap_passwd.txt samaccountname=some_random_name memberOf
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 52e, v2580

The password is in mixed case. I tried putting the password exactly like that in the file and even within double quotes and still no luck.

Any help would be appreciated.

Thanks,
Dave

Re: ldap tools using -y for password file

Posted: Thu Apr 02, 2020 3:46 am
by gil
Hello Dave,
We fixed similar problem for password files that specified as file link in ldifs. It is possible that in your case the same problem.
If it so we fix it in the nearest future.

Please check your password file info:
dir/full ldap_passwd.txt
....
Record format: VFC, 2 byte header, maximum 0 bytes, longest 5 bytes
....

If the file record format is similar to yours than it is the same problem.

Workaround for this problem is to create a file with the next record format:
Record format: Variable length, maximum 0 bytes, longest 4 bytes

Usually the VFS record format have files that were created by PIPE output redirection PIPE .... > file.txt
If you create file by edit file and if the problem that I described above it will be ok with password reading.

Regards, Eugeny

Re: ldap tools using -y for password file

Posted: Mon Apr 13, 2020 10:03 am
by dave669
Hi,
Thanks for the reply. I had created the file with an editor and it now has these attributes:

File organization: Sequential
Shelved state: Online
Caching attribute: Writethrough
File attributes: Allocation: 64, Extend: 0, Global buffer count: 0, Version limit: 3
Record format: Stream_LF, maximum 0 bytes, longest 11 bytes
Record attributes: None

And it is still giving the "Invalid credentials" error...

Regards,
Dave

Added in 1 hour 10 minutes 58 seconds:
Sorry.. and this is the original file attributes that also gives the error:

File organization: Sequential
Shelved state: Online
Caching attribute: Writethrough
File attributes: Allocation: 64, Extend: 0, Global buffer count: 0, Version limit: 3
Record format: Variable length, maximum 0 bytes, longest 11 bytes
Record attributes: Carriage return carriage control

Re: ldap tools using -y for password file

Posted: Fri Apr 17, 2020 10:42 am
by paul.nunez
FWIW, I couldn't get the -y <pswd-filename> option to work either; tried all sorts of record formats and record attributes on the password file, but a network trace shows the password sent to the ldap server ends with either a Carriage Return character or CR/LF characters.

There may be some DECC$* feature logical name that helps, but I couldn't figure it out...

Re: ldap tools using -y for password file

Posted: Fri May 01, 2020 12:21 pm
by paul.nunez
In the end we found a file with a record format of Undefined and record attributes of None works with the -y option. Engineering plans to address this in a future release.

$ type undef.fdl
IDENT FDL_VERSION 02 "30-APR-2020 15:41:49 OpenVMS ANALYZE/RMS_FILE Utility"

SYSTEM
SOURCE OpenVMS

FILE
ORGANIZATION sequential

RECORD

FORMAT undefined

$ create/fdl=undef.fdl passwd.dat
$ set file/attrib=rat:none passwd.dat
$ edit/edt passwd.dat
*C
yourpassword
Ctrl/Z
*Exit