perl + ldap + userPassword hash

ANU · 10-26-2006, 09:14 AM

hello all

i might need some help with the LDAP perl modules/libraries
im trying to get (remotely) the users password hash from an LDAP server where the password is encrypted. I need this to be able to copy the users information and his hash to my local LDAP server.
I did not figured out how i can do this
i was trying to get some information about the users with
Mozilla::LDAP
but i dont see any argument that would give me the users password hash
maybe NET::LDAP can do the trick

the thing is like this locally when i exec the command
ldapsearch -D "cn=directory manager" -w secretpass -b "ou=people,dc=home,dc=com" uid=*

i get the list of users with that field named userPassword

Code:

dn: uid=wagner,ou=People,dc=home,dc=com
loginShell: /bin/ksh
gidNumber: 1001
objectClass: top
objectClass: account
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowaccount
homeDirectory: /home/*****
cn: ****
givenName: ****
uidNumber: *****
gecos: *****
sn: *****
uid: ****
userPassword: {SSHA}oEx4GlxT+q16S/D3TGZAK50mdMhwZlBGtgiTEw==

im interested how i can get this fields userPassword value with some Perl libraries/functions not with ldapsearch

druuna · 10-26-2006, 10:49 AM

Hi,

You can indeed use Net::LDAP.

Basically you need to set up the connections first, something like this:

Code:

# ------------------------------------------------------------------ #
# - connectToLdap - Open a connection to ldap instance
# ------------------------------------------------------------------ #
sub connectToLdap {
  # connect to instance
  $ldapConn = Net::LDAP->new ($confValues{localAdminIP},
                              port=>$confValues{ldapPort});
  # ooops
  die "Can't connect to $instanceName" unless $ldapConn;

  # bind with credentials
  $ldapConn->bind (dn=>$confValues{ldapBindDn},
                   password=>$confValues{ldapMasterPasswd});
}

Then you can do your searches/modifications.
A search example:

Code:

# ------------------------------------------------------------------ #
# - Search - Search connection tree for given attribute
# ------------------------------------------------------------------ #
sub conTreeSearch {
  # search db
  $ctsResult = $ldapConn->search (base   => "$confValues{ldapBase}",
                                  scope  => "sub",
                                  filter => "(attribute=$_)",
                                  attrs  => ["otherattribute"]);
  $ctEntry = $ctsResult->entry(0);
}

And finally you close the connection again:

Code:

 # close session
$ldapConn->unbind;

As you probably noticed $confValues{<sometoken>} is filled with the actual entries .

Hope this helps.