Okky Hendriansyah
2016-01-15 03:35:01 UTC
Hi All,
I just given a task to synchronize user accounts from OUD to MSAD. Since
Oracle's own synchronization tool (Oracle Directory Integration Platform)
currenty does not support password synchronization from OUD to MSAD, I
googled for alternatives and found LSC instead. I have to say that this
tool is so simple yet powerful and sufficient for my needs.
However I'm still struggling in synchronizing passwords from OUD to MSAD. I
have tested the password generated in MSAD and have no issue using
AD.getUnicodePwd(), it works. But I'm still failed to decrypt the
userPassword attribute from the source OUD. I have switched the password
storage scheme to AES-128 and regenerate the userPassword to force
encryption instead of hashing. I have also found the encryption keys from
the server and put it on lsc.key file.
ERROR - Error while synchronizing ID {cn=okky}:
org.lsc.exception.LscServiceException: javax.script.ScriptException:
sun.org.mozilla.javascript.internal.WrappedException: Wrapped
javax.crypto.IllegalBlockSizeException: Input length must be multiple of 16
when decrypting with padded cipher (<Unknown source>#5) in <Unknown source>
at line number 5
1. I think it tells me to padd the source userPassword before decrypting.
How can I do that in LSC script?
2. The userPassword in the source is {AES}$sometextEndedWith==, do I have
to pass all the text or only the $sometextEndedWith== to LSC?
3. I found the encryption keys under cn=admin data like this, what values
should I put inside the lsc.key?
dn: ds-cfg-key-id=$configIdString,cn=secret keys,cn=admin data
ds-cfg-key-length-bits: 128
ds-cfg-initialization-vector-length-bits: 128
ds-cfg-key-id: $configIdString
ds-cfg-symmetric-key: $someString:RSA/ECB/OAEPWITHSHA-1ANDM
GF1PADDING:AES:$soManyString
objectClass: top
objectClass: ds-cfg-cipher-key
ds-cfg-cipher-transformation-name: AES/CFB/NoPadding
Thank you.
Best regards,
Okky Hendriansyah
I just given a task to synchronize user accounts from OUD to MSAD. Since
Oracle's own synchronization tool (Oracle Directory Integration Platform)
currenty does not support password synchronization from OUD to MSAD, I
googled for alternatives and found LSC instead. I have to say that this
tool is so simple yet powerful and sufficient for my needs.
However I'm still struggling in synchronizing passwords from OUD to MSAD. I
have tested the password generated in MSAD and have no issue using
AD.getUnicodePwd(), it works. But I'm still failed to decrypt the
userPassword attribute from the source OUD. I have switched the password
storage scheme to AES-128 and regenerate the userPassword to force
encryption instead of hashing. I have also found the encryption keys from
the server and put it on lsc.key file.
ERROR - Error while synchronizing ID {cn=okky}:
org.lsc.exception.LscServiceException: javax.script.ScriptException:
sun.org.mozilla.javascript.internal.WrappedException: Wrapped
javax.crypto.IllegalBlockSizeException: Input length must be multiple of 16
when decrypting with padded cipher (<Unknown source>#5) in <Unknown source>
at line number 5
1. I think it tells me to padd the source userPassword before decrypting.
How can I do that in LSC script?
2. The userPassword in the source is {AES}$sometextEndedWith==, do I have
to pass all the text or only the $sometextEndedWith== to LSC?
3. I found the encryption keys under cn=admin data like this, what values
should I put inside the lsc.key?
dn: ds-cfg-key-id=$configIdString,cn=secret keys,cn=admin data
ds-cfg-key-length-bits: 128
ds-cfg-initialization-vector-length-bits: 128
ds-cfg-key-id: $configIdString
ds-cfg-symmetric-key: $someString:RSA/ECB/OAEPWITHSHA-1ANDM
GF1PADDING:AES:$soManyString
objectClass: top
objectClass: ds-cfg-cipher-key
ds-cfg-cipher-transformation-name: AES/CFB/NoPadding
Thank you.
Best regards,
Okky Hendriansyah