I was in the unfortunate situation that i needed to fix an ldap server, specifically fixing a 'login failed' situation. There was only one problem, i had fucking clue how ldap is configured, or even working. Also, i didn't knew any passwords. But i had a user account on the system and google.
This article may be used as a quickstart for using (or hacking open) LDAP server installations.
Finding what you need
For working with the ldap you will need to find the configuration of the ldap server. The Solaris server was running an old version (current_ldap is a lie of course) of OpenLDAP bundled in the customized application. The process list showed something like this: /opt/somewhere/current_ldap/libexec/sldap ldap:// ldaps:// ...
As the ldap configuration most of the time resides somewhere in <ldap-installation>/etc/openldap/sldap.conf this was my first lucky guess.
The configuration file was readable for every user on the server (duh!) and contained the following interesting parameters:
...
database: bdb
rootdn: "cn=master,dc=company-name,dc=com"
rootpw {SSHA}cfCIXzBdyEzqcINQ0IT4gNFMupac1Yq2
Cracking LDAP passwords
As i needed full write-access to the ldap server, i threw the root password into john-the-ripper:
The pass-file:
rootpw:{SSHA}cfCIXzBdyEzqcINQ0IT4gNFMupac1Yq2
Running john:
# john pw
Loaded 1 password hash (Salted SHA-1 [128/128 SSE2 intrinsics 4x])
newuser (rootpw)
guesses: 1 time: 0:00:00:00 DONE (Mon Feb 24 23:10:02 2014) c/s: 66860
trying: ncc1701d - pat
Use the "--show" option to display all of the cracked passwords reliab
After a whopping , ummm, 0 seconds i recovered the root password. But this was not really what was looking for, i wanted to make the GUI user log in again. The server provides the tool ldaplist which lists all ldap entries.
The ldap client was somehow correctly configured in /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred so the root password was not needed for that. Look somewhere else how to configure this damn client :D.
Find the troublesome account
ldaplist -v returned all entries for all ldap users. There are also lots of examples of how to use the ldaplist to query specific informations. I knew i had to change the password for the gui user but it seemed like the user was also blocked from logging into the gui:
user@ldapsrv$ ldaplist -v
...
dn: uid=appadmin,ou=appuser,dc=company-name,dc=com
uid: appadmin
cn: appadmin
...
userPassword: {crypt}J6vlYXRU.sW8c
isLocked: TRUE
ldaplist -v returned the hashes for all users so we could try to crack them similar to the root password one but the appadmin was additionally locked even if we recover the password
Fix the raw LDAP entries
For modifying ldap entries there is ldapmodify which will either take commands via stdin or via file. For this tool we need the ldap root password an I used direct command entry like this:
user@ldapsrv$ ldapmodify -D "<rootdn>" -w "<rootpw>"
# input follows:
dn: uid=appadmin,ou=appuser,dc=company-name,dc=com
changetype: modify
replace: userPassword
userPassword: {SSHA}cfCIXzBdyEzqcINQ0IT4gNFMupac1Yq2
Ctrl-d
dn: uid=appadmin,ou=appuser,dc=company-name,dc=com
changetype: modify
replace: isLocked
isLocked: FALSE
Ctrl-d
Ctrl-d
At first i replace the userPassword with one we know (in this case the root user). After that i set the isLocked Variable from TRUE to FALSE. Now i could finally use the GUI and log in as the appadmin user with the password we just cracked.
Wrap-up
OpenLDAP can be pretty handsome after a bit reading the fucking manual. It is also a great idea to leave config files unprotected in order to recover root passwords as an ordinary user.
Comments