I am providing -w "LDAP server password" in commandline but i am getting error . ldap_bind: Invalid credentials (49).
So basically I am trying to achieve this - A user can reset its password by running a small script but i don't want to expose LDAP password to him . so storing it in script only .
A very simple script -
uid="$USER"
echo "Welcome" $uid ;
ldappasswd -x -S -D "cn=xxx,dc=xxxxx,dc=xxx" -W -h 'IP address of LDap server' "uid=".$USER.",ou=xxxx,dc=xxx,dc=xxxx" -w "LDAP server password"
Please let me know if there is any other way to achieve this .
Thanks,
Use either -w <newpassword> to provide the password on the command line, or -W to get prompted, but not both. Also, you need to put options in front of arguments. Try ldappasswd -x -w "LDAP server password" -S -D "cn=xxx,dc=xxxxx,dc=xxx" -h 'IP address of LDap server' "uid=$USER,ou=xxxx,dc=xxx,dc=xxxx". Note i removed the dots from around $USER, you need them in perl but not in the shell.
But note that if you put this in a script, your users will need read permission on the script, or the shell won't execute it. Which means they will be able to cat the script and see the password. One workaround would be to make the script rx to the root user only, and allow sudo <yourscript> without password. Also, noone will prevent a user from changing his $USER variable, so your script is easy to hack - better parse the output of the id command, and make sure you don't use root if you do the sudo workaround.
Related
I know that this question has been proposed several times (https://superuser.com/questions/606252/how-to-use-sshpass-for-chained-connection and https://unix.stackexchange.com/questions/320412/how-to-use-sshpass-to-supply-a-password-on-the-second-ssh-hop) but all the solutions that I've found until know are not working.
I'm tryng to access a third machine (third#machine) by using sshpass in order to not be prompted to insert a password. However,it is mandatory to use a bridge machine (bridge#machine) before entering the final one.
Each time I need to enter the passwords for the bridge#machine and for the third#machine, so my workflow is:
ssh bridge#machine
insert password:
ssh third#machine
insert password
Until now, I was able to avoid the first password by using sshpass in the proxycommand inside the ~.ssh/config file as follow:
vi ~.ssh/config :
Host *.reference
User example_user
ProxyCommand sshpass -p $bridge_machine_password$ ssh -o StrictHostKeyChecking=no bridge#machine "nc -w 60 `basename %h .reference` %p"
and contemporary I've define an alias named "curie" in the .bashrc file which is:
alias curie='ssh third#machine.reference'
So if run the alias curie I'm able to avoid the first password but I'm still prompted for the password of the third#machine.
For this reason I've tried to use sshpass to access the third#machine in the following manner:
>sshpass -p 'third_machine_password' ssh -oProxyCommand="ssh -W %h:%p bridge#machine" third#machine
Unfortunately, this gives back :
Permission denied, please try again.
Could be a restriction imposed by the third#machine or I'm doing something wrong?
if your password contains special characters such as $...
eg abcd#1234$$ then use \ with the special character....add this \ before each $$....it worked for me
Find a solution:
created firstly in the config file the proxy command
Host *.reference
User bridge
ProxyCommand sshpass -p passwd_bridge_machine2 ssh -o StrictHostKeyChecking=no bridge#machine2 "nc -w 60 `basename %h .ciment` %p"
after this command set in the config I created the alias in the .bashrc file:
alias curie='sshpass -p passw_third#machine3 ssh third#machine3.reference'
It is important to add the .reference line because it will firstly call the proxycommand in the config file and then use the sshpass in the alias. Once everything is settled it is only necessary to run the alias in the terminal to open the third machine withou any password.
Hope it helped someone else
I tried to delete one of my Jelastic environments by means of the following API call:
curl -k \
-H "${CONTENT_TYPE}" \
-A "${USER_AGENT}" \
-X POST \
-fsS ${HOSTER_URL}/1.0/environment/control/rest/deleteenv -d "password=${password}&session=${session}&envName=${envName}
where I am sure that the session and envName are correct, as I have other commands running perfectly well with them. In particular, I get the session in the following way:
getSession() {
local login=$1
local password=$2
local hosterUrl=$3
echo "Signing in..." >&2
local cmd=$(curl -k -H "${CONTENT_TYPE}" -A "${USER_AGENT}" -X POST \
-fsS "$hosterUrl/1.0/users/authentication/rest/signin" -d "login=$login&password=$password");
exitOnFail $cmd
echo "Signed in" >&2
echo $(jq '.session' <<< $cmd | sed 's/\"//g')
}
In the call to deleteenv, I provide the very same password as that of my Jelastic provider account. Indeed, when I want to delete an environment through Jelastic's dashboard, this is the password I need to provide to make the deletion happen. However, I get the following error:
{"result":801,"source":"hx-core","error":"invalid password"}
Because the password field is documented as optional in Jelastic's API documentation, I tried not to set the password. This yields the following error:
{"result":3,"source":"JEL","error":"invalid parameter [password] for method [DeleteEnv] in service [ControlService]"}
I tried to use other secrets as that password, like the APPID, without any success.
Does anyone have a clue what password I need to put there?
We used the same oneliner based on API you used, your script to get a session and the same Jelastic version but were not able to reproduce this issue. Environment were successfully deleted.
Does anyone have a clue what password I need to put there?
This is the same password as you used to get session or to enter Dashboard. Make sure there are no additional symbols in your password variable.
Because the password field is documented as optional
Indeed, it's optional if use token instead of session. In case of session, password is an obligatory parameter.
Here is my LDAP ORG Structure:
I created user with first, last name with password. But it is not working when am trying to connect using jdbc. Error says invalid credentials. Then I tried ldapsearch as follows:
I followed this process for users and group creation:
root#ip:/home# ldapwhoami
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database
root#ip:/# ldapsearch -x -LLL -h ip -D username -w password -b"cn=admin,dc=ivhdev,dc=local" -s sub "(objectClass=*)" "givenName=username*"
ldap_bind: Invalid DN syntax (34)
additional info: invalid DN
Please suggest/correct me, if am passing the right info in DN syntax. I am unable to validate the user credentials with their name and password.
The -D option takes the DN for logging in to your LDAP server.
The -b option takes the search base in your LDAP tree where you want to search for the user's given name.
So, your ldapsearch command becomes:
ldapsearch -x -LLL -h ip -D 'cn=admin,dc=ivhdev,dc=local' -w password -b 'dc=users,dc=local' -s sub '(objectClass=*)' 'givenName=username*'
If you use the Apache Directory Studio (http://directory.apache.org/studio/) you can see the actual ldapsearch commands used by the application. Maybe this is useful for anyone.
I have currently installed OID (Oracle Internet Directory) and created some roles and users in them. I intend to access them using LDAP commands.
$ldapbind -p <port_number> -h <ip> -D "cn=orcladmin"
bind sucessful
$ ldapsearch -h <port_number> -p <ip> "dc=<name>"
ldap_search: Inappropriate authentication
ldap_search: additional info: Server is Configured to Deny Anonymous Binds
Is there something I am missing ?
On your ldapsearch command, add the -D "cn=orcladmin" for who you are binding as, -w "Password" or -W to prompt at run time. Probably you want a -b "ou=Base,dc=DNtoSearch" and then your filter as you have it.
You need to bind each time.
Anyone knows how to ssh / su - by passing the password initially itself?
Like:
ssh username#hostname -p [password]
pbrun su - unix_owner -p [password]
How can I achieve this?
It shouldn't popup for password or any RSA authentication like yes/no.
I think you will probably need a sudoers file to get stuff done in a su like manner without being prompted for a password.
I have never used ssh without a password prompt, but found this which suggests it can be done...
passing a password in clear text is not intended by ssh.
Try to learn about ssh key authentication (google would help), you won't need to type your password anymore.
ok, more detailed, try this:
on the remote machine
> mkdir -p ~/.ssh #if neccessary
> touch ~/.ssh/authorized_keys2
> chmod go-rwx $HOME/.ssh/authorized_keys2
on your local machine:
> ssh-keygen # if neccessary
> cat ~/.ssh/id_rsa.pub | ssh root#remotehost "cat >> .ssh/authorized_keys2 && chmod 0600 ~/.ssh/authorized_keys2"
A better approach would be using ssh keys, like other answers recommend, but if you really need it, you can use expect for that.
Just create a expect.file like this one:
#!/usr/bin/env expect
set username youruser
set pass yourpassword
set host yourhost
spawn ssh ${username}#${host}
expect -re "password:"
send "${pass}\r"
expect -re "$"
interact
and execute it:
expect expect.file
Can't do it. You're invoking the passwd program on the remote machine. If it had a way to change a password without prompting for the old one, ANYONE could change your password if they got onto your console. You'd still need to pass the password in over the ssh link
As for SSH, you could use RSA keys, and those won't prompt you for passwords.
As for SU, it would have to be hardcoded or you would have to create your own application to serve as a wrapper of sorts.
I don't think you can pass in password directly to the ssh command (It will be stored in your history otherwise). Why don't you use keys to skip the authentication prompt.