How to see ldapAgentPassword of ldap configuration in plaintext - owncloud

We have LDAP authentication configured in our owncloud and cannot remember the password for our ldap backend anymore. I have found the ldap_agent_password setting in the database which seems to store an encrypted string of that password.
How to display the password in plain text?

The ldap password isn't stored encrypted, instead it's only encoded with base64.
To fetch it from the database use the following query:
SELECT * FROM oc_appconfig WHERE appid='user_ldap' AND configkey='ldap_agent_password';
Copy the configvalue and paste it in the following command:
echo "VALUE" | base64 -d
For example if the query returns dGVzdDQyCg== execute:
echo "dGVzdDQyCg==" | base64 -d
which will return test42.

Related

want to run command from outside Postgresql and want to store password in encrypted format?

I want to write a script that will check whether replication is on or not, so I wrote the command in a script:- PGPASSWORD='********' psql -U user_name -p 54032 -c "select * from pg_stat_replication" -d postgres
but I want to encrypt the password for security purposes so I did MD5 encryption and put the hash of it.
PGPASSWORD='a67a4e657061eac2036a88ec523dbbbb' psql -U user_name -p 54032 -c "select * from pg_stat_replication" -d postgres
It's not working Please help me.
There is no way to avoid having a clear text password somewhere, either on the command line or in the environment or in a password file.
If you want to authenticate without a clear text password anywhere, use certificate authentication with a client certificate.

GNU SED for getting username and password for a particular SID from a file

Environment:
We have ~100 databases hosted on multiple machines. All databases have different username and different password on every database.
Issue:
How can I read the username and password and TNS (Service name) from an external file one by one and connect to the each database and run the sql query and pass the output to a logfile.
What is done so far:
Created pass file that contains password, Service_Name, Username and delimiter ":"
cat pass
Loufr#123:PROD:User1
Brinj#6523:TEST:User2
Another file dblist is created with all the dbnames (that matches the service names) in step 1
cat dblist
PROD
TEST
DEV
QA
Quality
Goal:
read name of the database from dblist and find the username and password from pass file for that database.
Use dbname with username and password to connect to database in following string
while read TNS from dblist
sqlplus -s /nolog
connect ${Username}#${TNS}/${Password}
spool output.log
#query.sql
exit
You can parse the file pass this way (replace all the : with spaces and initialize the positional parameters with the resulting tokens):
while read TNS from dblist; do
set -- $(sed -n "/:$TNS:/{s,:, ,gp}" pass)
sqlplus -s /nolog
connect ${1}#${2}/${3}
spool output.log
#query.sql
exit
done

How to make ldap evaluate clear text password vs DES stored password

I use openldap slapd 2.4.40 and postgresql9.2.23 as back-sql on CentoS 6.9
user and password for LDAP uid and userPassword are stored in postgresql by DES encoding.
Original clear text is JacicFk5
DES encoded/encrypted text is IfjFxsltK/MPE which stored in DB.
I can see the user information as the result of ldapseach by stored password.
ldapsearch -x -b "dc=example,dc=com" -D uid="HDZZZ0R0N,ou=people,dc=example,dc=com" -w IfjFxsltK/MPE '(&(uid= HDZZZ0R0N)(objectClass=*))'
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (&(uid= HDZZZ0R0N)(objectClass=*))
# requesting: ALL
#
# user01, people, example.com
dn: uid= HDZZZ0R0N,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
cn:: W+aOkl3lia/nlKPnianjg6Hjg7Pjg4bjg4rjg7PjgrnvvIgzNu+8iVNURw==
sn:: W+aOkl3lia/nlKPnianjg6Hjg7Pjg4bjg4rjg7PjgrnvvIgzNu+8iVNURw==
uid: HDZZZ0R0N
userPassword:: SWZqRnhzbHRLL01QRQ==
However, I can’t do ldapsearch by original clear text password
ldapsearch -x -b "dc=example,dc=com" -D uid="HDZZZ0R0N,ou=people,dc=example,dc=com" -w JacicFk5 '(&(uid= HDZZZ0R0N)(objectClass=*))'
ldap_bind: Invalid credentials (49)
Does anyone tell me how to make ldapsearch to resolve given password by clear text and stored password by DES encoding?
I’d like to know is how to make plaintext JacicFk5 from ldapseach command-line to hash IfjFxsltK/MPE and make it match against IfjFxsltK/MPE in DB as userPassowrd.
Is there suitable directive for ldap.conf or slapd.conf?
I've checked followings .
echo "SWZqRnhzbHRLL01QRQ==" |perl -MMIME::Base64 -ne 'print decode_base64($_) . "\n"'
it returns IfjFxsltK/MPE
perl -e 'print("userPassword: {crypt}".crypt("JacicFk5","If")."\n");'
it returns userPassword: {crypt}IfjFxsltK/MPE
One more info.
my ldapseach can solve password text for users stored in AD server via ownclod.
What you want/need to have is a LDAP simple authentication. Please first note that it is unsecure to store passwords in plaintext!
First you need to test what auth mechanisms you have supported/allowed.
An example:
tukanos#localhost:~# ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: NTLM
Now you want to change the onfiguration via ldapmodify. You prepare a LDIF file (LDIF stands for LDAP Data Interchangable Format) with configuration.
Prepare your configuration file you can name it olcSaslSecProps.ldif:
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred
What the properties mean:
noanonymous ... no anonymous connection allowed
minssf=0 ... that defines your effective encryption strength (0 ... no encryption)
passcred ... that would allow password to work as for credentials
To quote the OpenLDAP security considerations
Security Strength Factors
The server uses Security Strength Factors (SSF) to indicate the
relative strength of protection. A SSF of zero (0) indicates no
protections are in place. A SSF of one (1) indicates integrity
protection are in place. A SSF greater than one (>1) roughly
correlates to the effective encryption key length. For example, DES is
56, 3DES is 112, and AES 128, 192, or 256.
A number of administrative controls rely on SSFs associated with TLS
and SASL protection in place on an LDAP session.
security controls disallow operations when appropriate protections are
not in place. For example:
security ssf=1 update_ssf=112
requires integrity protection for all operations and encryption
protection, 3DES equivalent, for update operations (e.g. add, delete,
modify, etc.). See slapd.conf(5) for details.
Now to apply the LDIF file:
ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif
Now to restart the slapd daemon:
systemctl restart slapd
If you check now your configuration you should get LOGIN and PLAIN:
ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
dn:
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN
Now your search should work with plain test password:
ldapsearch -x -b "dc=example,dc=com" -D uid="HDZZZ0R0N,ou=people,dc=example,dc=com" -w JacicFk5 '(&(uid= HDZZZ0R0N)(objectClass=*))'

Postgres: MD5 Password / Plain password

I'm trying to understand how role passwords are supposed to operate in Postgres.
https://www.postgresql.org/docs/current/static/sql-createrole.html says for ENCRYPTED / UNENCRYPTED
If the presented password string is already in MD5-encrypted format, then it is stored encrypted as-is,
So my unencrypted password is: MyPassword .
The MD5 hash of "MyPassword" is 48503dfd58720bd5ff35c102065a52d7
If I do
-- See https://www.postgresql.org/docs/9.6/static/sql-alterrole.html
ALTER ROLE "MeOhMy"
LOGIN
PASSWORD '48503dfd58720bd5ff35c102065a52d7'
;
And then attempt to use "MyPassword" when doing
sudo -u postgres psql meohmy -h 127.0.0.1 -d meohmy_development
I, of course, first get prompted for my sudo password and then I get prompted by Postgres "Password for meohmy"
If I enter MyPassword I get
FATAL: password authentication failed for user "ralph#dos32.com"
If I enter, instead, 48503dfd58720bd5ff35c102065a52d7 then I can sign in.
What am I not understanding?
To create an md5 password for PostgreSQL, the formula is:
"md5" + md5(password + username)
Here are 3 ways you can create one, where the username is "admin" and the password is "password123"...
Linux:
# echo -n "md5"; echo -n "password123admin" | md5sum | awk '{print $1}'
md53f84a3c26198d9b94054ca7a3839366d
NOTE: The -n is critical to avoid including the newline character in your hash!
MacOS:
➜ echo -n "md5"; md5 -qs "password123admin"
md53f84a3c26198d9b94054ca7a3839366d
Python 2:
>>> import hashlib
>>> print("md5" + hashlib.md5("password123" + "admin").hexdigest())
md53f84a3c26198d9b94054ca7a3839366d
Python 3:
as above, but use binary strings
print("md5" + hashlib.md5(b"password123" + b"admin").hexdigest())
Postgresql hashed passwords have md5 prefix:
md548503dfd58720bd5ff35c102065a52d7
Using Postgres11 on GCP Cloud SQL. Gitlab version gitlab-ee 13.3.4 Omnibus install
# gitlab-ctl pg-password-md5 gitlab_user
Enter password:
Confirm password:
and
# echo -n <password for gitlab_user>gitlab_user | md5sum
are equivalent.
Note: My db user is gitlab_user
The answer provided by #zerkms is partially correct. It led me to the right answer.
The answer provided in Generating postgresql user password is the answer that works for me.

How to use pg_dump with a connection uri / url?

I can invoke psql like this:
psql postgres://...
How can I use pg_dump with a connection string in the format postgres://...?
Would be more convenient than breaking URI's into host, post, username, password.
Is there syntax for this?
pg_dump postgres://username:password#my_postgres_server:5432/databasename
I just downloaded a dump using this format.
Optionally you can add -f filename to specify a local filename.
This is for newer versions of pg_dump:
pg_dump -d postgres://username:password#my_postgres_server:5432/databasename > filename