April 25th, 2014

LDAP password audit and general hackery

I have a few smaller tools/scripts I’m going to be posting in the near future on a new hackery page. Some of these are random things that don’t quite deserve a whole project page, but I still wanted to put a general reference together.

The first thing I’m putting up is a small tool that will dump out a unix-like password file given a LDAP database dump in LDIF format. The point of this is so that you can audit your LDAP passwords with something like john the ripper. Here’s an example usage:


usage: ./ldap-passwd-dump.py <ldif file> <output password file> [<user matchString>]
       example: ./ldap-passwd-dump.py ldif.out passwd.txt "^ou: MyGroup"
       (matchString default is "objectClass: posixAccount")

 # Dump the initial database with slapcat
 $ slapcat > ldap.out
 $ ./ldap-passwd-dump.py ldap.out pw.out
 [*] Adding new user [New User, newuser] to results
 [*] Adding new user [A User, auser] to results
 [*] newuser:$1$xxxxxx$xxxxxxxxxxxxxxxxxxxxxx:::New User
 [*] auser:$1$xxxxxx$xxxxxxxxxxxxxxxxxxxxxx:::A User
 [*] Wrote [2] password lines to [pw.out]
 [*] Done

$ john pw.out

Anyway, hopefully it’s mildly useful to a couple people. Since the standard PAM modules for password policy enforcement are a little harder to use with LDAP, sometimes it seems like weak LDAP accounts can linger around for a longer than intended. Let me know if you have any problems running it, I know there are several different possible password encoding and hashing types, and posixAccount setup schemas, so YMMV

Look for some more things to be posted to the hackery page in the coming days.

3 Responses to 'LDAP password audit and general hackery'

  1. 1Fabio
    October 14th, 2009 at 10:12 am

    I ran this script against a slapcat output.
    After that, I try use john with scripts output but john returns this message:
    No password hashes loaded

    I check script output file and verify that hashs are there.

    If you can help me, i would be very happy.


  2. 2aaron
    November 12th, 2009 at 9:43 am

    I’m not sure what the issue would be here — usually if there’s a problem, it’s with the initial parsing of the ldap output. You might try comparing against a known good password file to make sure that the format is correct. Maybe it wasn’t able to grab some parameter from the ldap output? When the script runs, does it show that the users that were added along with their names, etc? It’s also possible that you have a different type of hash that john does not recognize.

  3. 3optimus prime
    March 18th, 2012 at 2:11 am

    john-1.7.9-jumbo-5 still gives the same error. the ldif extract looks fine.. data is coming from open-ldap. looks like threads are commenting that somehow the format is not supported??

Leave a Response

Imhotep theme designed by Chris Lin. Proudly powered by Wordpress.
XHTML | CSS | RSS | Comments RSS