Hi,
I have some troubles with OID accounts... Is there a tool (or PL/SQL code)
that could help retrieving account settings and password?

Thanks!

TeePee <tplassart@yahoo.fr> wrote: I have some troubles with OID accounts... Is there a tool (or PL/SQL code) that could help retrieving account settings and password?

Strictly speaking, there is no 'account' in LDAP, you can 'bind' (as the
technical term goes) as any distinguished name if you have the permissions.

You can use 'ldapsearch' to find all attributes of a person (I assume
that you are looking for persons).

Be sure that you use Oracle's ldapsearch.

Examples:

ldapsearch -D cn=orcladmin -w <password> -U 1 \
-b '<distinguished name of the person>' -s base '(objectclass=person)'

will list all attributes of this person.

ldapsearch -D cn=orcladmin -w <password> -U 1 \
-b '' -s sub '(objectclass=person)' ''

will list the distinguished names of all persons in the directory.

(The -U 1 option assumes that you have SSL set up. You can omit it if
you don't mind sending your admin password over the net.)

Two things that I should mention:

- No unencrypted password is stored in OID, so you cannot retrieve them.
- There is no entry 'cn=orcladmin' in OID. I thing that this is a
weirdness of OID. Does anybody have a clue why?

Yours,
Laurenz Albe

Thanks for your help Albe ! It has been very usefull!
I agree that '- No unencrypted password is stored in OID, so you cannot
retrieve them.'
but I was wondering where could be the API which should be able de-scramble
encrypted password (as the Oracle Directory Manager permits to store
password that can be decrypted...(there's such a checkbox))
Does anyone have the algorythm?

"Laurenz Albe" <invite@spam.to.invalid> a écrit dans le message de
news:1129113521.905647@proxy.dienste.wien.at... TeePee <tplassart@yahoo.fr> wrote: I have some troubles with OID accounts... Is there a tool (or PL/SQL
code) that could help retrieving account settings and password? Strictly speaking, there is no 'account' in LDAP, you can 'bind' (as the technical term goes) as any distinguished name if you have the
permissions. You can use 'ldapsearch' to find all attributes of a person (I assume that you are looking for persons). Be sure that you use Oracle's ldapsearch. Examples: ldapsearch -D cn=orcladmin -w <password> -U 1 \ -b '<distinguished name of the person>' -s base '(objectclass=person)' will list all attributes of this person. ldapsearch -D cn=orcladmin -w <password> -U 1 \ -b '' -s sub '(objectclass=person)' '' will list the distinguished names of all persons in the directory. (The -U 1 option assumes that you have SSL set up. You can omit it if you don't mind sending your admin password over the net.) Two things that I should mention: - No unencrypted password is stored in OID, so you cannot retrieve them. - There is no entry 'cn=orcladmin' in OID. I thing that this is a weirdness of OID. Does anybody have a clue why? Yours, Laurenz Albe

Thierry PLASSART <thierry.plassart@wanadoo.fr> wrote: Thanks for your help Albe ! It has been very usefull! I agree that '- No unencrypted password is stored in OID, so you cannot retrieve them.' but I was wondering where could be the API which should be able de-scramble encrypted password (as the Oracle Directory Manager permits to store password that can be decrypted...(there's such a checkbox)) Does anyone have the algorythm?

The documentation does not say very much about it, so I went ahead and
tried:

Your Passowrd Policy needs to have 'reversibly encrypted passwords' enabled.

Then I created a user with a password.

According to the documentation the encrypted password is stored in the
orclrevpwd attribute, which can only be queried via SSL.

I did, and guess what: it contained the CLEARTEXT password!

I am using OID 10.1.2.0.2 (the currently latest version).

Maybe I should open a TAR for that...

Yours,
Laurenz Albe