If you use LDAP simple authentication, you should take care to hide the LDAP password from the command line history. A lot of UNIX shells environments are configured to save the command line history. Of course this is a very useful function, on several levels, but it can also be a system security hazard as well, if we don’t pay attention to how we use it.
In an environment like most modern identity management systems, which often use LDAP servers to store identity data, it is the best practice to store the password in a file which you can use to read into your commands as opposed to including it on the commandline, as is provided by most LDAP utilities.
Here’s instructions how to hide those LDAP simple authentication passwords from the command line history in some popular LDAP client utilities.
All the methods will use a file in a known location to store the password, so first create an ~/.ldappw file (mode 0400 or 0600) in your home directory. It should contain the password as one line.
Probably the most common ldap client utility most people deal with is the OpenLDAP client. Newer versions of the OpenLDAP client have the -y parameter to read the password from a password file. In this case make sure that there is no newline character in the password file. The following example shows how to create the password file without a newline and search using -y.
$echo -n 'password' > ~/.ldappw $ldapsearch -y ~/.ldappw -W -D "cn=bind dn" -b dc=example,dc=net "cn=user to search" dn cn
Please note that earlier versions of the OpenLDAP client lack this -y option but you can still accomplish this, using shell redirection and the -W (capital W as opposed to lower w) to read the password from standard input. Note in this case you will want the newline in the password file as in the following example:
$echo 'password' > ~/.ldappw $ldapsearch -x -W -D "cn=bind dn" -b dc=example,dc=net "cn=user to search" dn cn < ~/.ldappw
The OpenDS ldapsearch tool and the one that comes with Oracle DSEE (formerly known as Sun DSEE) has the -j option to include a password:
ldapsearch -j ~/.ldappw -D "cn=bind dn" -b dc=example,dc=net "cn=user to search" dn cn
The Tivoli ldapsearch is similar to the OpenLDAP one, but you must use “?” after a lowercase “-w” instead of the capital “-W”:
$ldapsearch -x -w ? -D "cn=bind dn" -b dc=example,dc=net "cn=user to search" dn cn < ~/.ldappw
© Copyright 2020 Rex Consulting, Inc. – All rights reserved
It gives the below error but work fine if I enter the password without the -y option:
ldap_bind: Invalid credentials (49)
This used to work with my previous password, is there some kind of cache to be cleared? just a guess
There’s no cache. Invalid credentials (49) means what it says 99.999% of the time. The one exception I’ve seen is from RHEL6 to RHEL7 they changed the crypt format, hozing some crypt passwords containing special characters (always invalid but allowed in RHEL6).