ldapsearch password file format

Question

How am I supposed to pass a password to ldapsearch using the -y <password file> option?
If I write the password in the password file in plain text, I get this error:

ldap_bind: Invalid credentials (49)
    additional info: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e, v1772

The same happens if I use the -w <password> option.

EDIT:
The command I'm running is

ldapsearch -x -D <my dn> -y .pass.txt -h server.x.x -b "dc=x,dc=y" "cn=*"

Where the file .pass.txt contains my password, in plain text. Both the DN and the password are correct. If I run the command with the -W option and type the password on the prompt the command runs successfully, but I would like to store the password somehow to make a script.

What kind of "password file" are you using? You may want to show us the complete command you are typing. Are you using correct bind credentials? — solefald, May 11 '10 at 16:27

score 30 · Accepted Answer · edited Sep 17 '14 at 21:05

30

Keep in mind that ldapsearch will use the entire contents of the file for the password--which means it WILL include a terminating newline character if one exists. To verify if this is in fact your problem, try creating a file without one:

echo -n ThisIsaBadPassword > .pass.txt

(UPDATE: Included '-n')

edited Sep 17 '14 at 21:05

Garen

153
1
6

answered May 11 '10 at 16:41

sysadmin1138

131,083
18
173
296

1

I just tried that, but I get exactly the same error... – Paolo Tedesco May 11 '10 at 16:49
3

No, it won't. You need `echo -n` or `printf` in order to avoid the newline. – user1686 May 11 '10 at 19:23
The echo -n did the trick! Thank you all for your help. – Paolo Tedesco May 12 '10 at 07:14
In followup to grawity's comment, echo -n works perfectly, e.g.: echo -n "secretpassword" > /etc/ldapscripts/ldapscripts.passwd – Ned W. Oct 09 '13 at 20:16
Annoying problem solved due to this, thanks. I just used `sed` to strip the end of an existing file, though. – wirefox May 04 '18 at 19:06

Kyle Brandt · Answer 2 · 2010-05-11T23:55:43.383

2

Assuming it is the newline/carriage reuturn try the following:

cat .pass.txt | tr -d '\n\r' > .pass2.txt

Then use the .pass2.txt file. You can always check for new lines and carriage returns with cat -vE and they will show up as $ and ^M respectively.

You could also probably do -y <(cat .pass.txt | tr -d '\n\r') directly in the ldapsearch command.

edited May 11 '10 at 23:55

answered May 11 '10 at 23:49

Kyle Brandt

82,107
71
302
444

score 0 · Answer 3 · answered Sep 10 '20 at 23:45

Combining answers from @Brian Showalter, Kyle Brandt and others, the desirable solution is:

read -s LDAPPASS
echo -n "$LDAPPAS"" | ldapsearch -x -D $MYDN -y /dev/stdin -h $MYSERVER -b $MYBASE "cn=*"

LDAPPASS is in the user's environment, which on modern Linux's is secure enough. The echo is internal and not ever visible in the process table, which means ldapsearch gets the information through a secure channel, and not leaked anywhere on disk (unless of course your process gets swapped during execution).

score 0 · Answer 4 · edited Jan 29 '13 at 03:24

0

ldapsearch -x -D cn=Manager,dc=domain,dc=com -y pass.txt -H ldap://ldap.domain.com -b dc=domain,dc=com

You might have to chmod 600 pass.txt

edited Jan 29 '13 at 03:24

quanta

50,327
19
152
213

answered May 12 '10 at 03:07

hfranco

585
2
9
25

score -1 · Answer 5 · answered May 20 '14 at 03:37

-1

There's no need to dump the password into an actual file. Just echo it with the -n flag to prevent the newline, then read it in from the STDIN file descriptor (/dev/fd/0) as follows:

echo -n 'mypassword' | ldapsearch -x -D <my dn> -y /dev/fd/0 -h server.x.x -b "dc=x,dc=y" "cn=*"

answered May 20 '14 at 03:37

Brian Showalter

1,029
9
13

the problem with this approach is it leaves you subject to shell history and PS to discover your password. – cgseller May 02 '18 at 15:53
2

Point taken. It's mid-2018 now. I've learned from my mistakes. Don't take my 2014 blathering seriously. Thank you. :) – Brian Showalter Jun 06 '18 at 02:27

ldapsearch password file format

5 Answers5