Anonymous_User Absent Member.
Absent Member.
1180 views

LDAPSEARCH eDirectory Output File (mixed Base64)


Hi all,

I need to export some users' attribute from eDirectory and I am trying
to get these data through ldapsearch command line.
The issue that I am facing is, some exported attributes has their data
in base64 format, like below, some don't.

-DirXML-EntitlementRef::
Y249TGVnYWN5QUQsY249Tm92ZWxsIEFEIERhdGEgU3luYyxjbj1Ob3ZlbGxfSURWX0RSX1NFVCxvdT1JRE0sb3U9c2VydmljZXMsbz1ub3ZlbGwjMSM8P3htbCB2ZXJzaW9uPSIxLjAiIGVuY29kaW5nPSJVVEYtOCI/Pg0KPHJlZj4NCjxzcmM+QlVMS1Jlc291cmNlPC9zcmM+DQo8aWQvPg0KPHBhcmFtPkJyYXppbDwvcGFyYW0+DQo8L3JlZj4=-

The syntax that I used was something like:
*-ldapsearch -Z -b ou=people,o=novell
"(&(nrfAssignedRoles=*)(nrfAssignedResources=*)(DirXML-EntitlementRef=cn=UserRoles,cn=SAP*))"
-s sub -D cn=admin,o=novell -W -LLL DN nrfMemberOf nrfAssignedRoles
nrfAssignedResources DirXML-EntitlementRef > /tmp/teste1.lo-*g

Could someone help me figure out how to extract the data in the properly
format?
-"cn=LegacyAD,cn=Novell AD Data
Sync,cn=Novell_IDV_DR_SET,ou=IDM,ou=services,o=novell#1#<?xml
version="1.0" encoding="UTF-8"?>
<ref>
<src>BULKResource</src>
<id/>
<param>Brazil</param>
</ref>"-
(Would be fine without the broken lines 😄 )

Thank you so much


--
emerson_infosys
------------------------------------------------------------------------
emerson_infosys's Profile: https://forums.netiq.com/member.php?userid=5308
View this thread: https://forums.netiq.com/showthread.php?t=51434

Labels (1)
0 Likes
10 Replies
Anonymous_User Absent Member.
Absent Member.

Re: LDAPSEARCH eDirectory Output File (mixed Base64)

LDAP does not work that way on its own. The reason the data are
base64-encoded is that it is likely not going to be correctly-formatted
for an LDIF, and therefore getting it to be decoded will break your LDIF,
including any subsequent processing of that output. Sure, it may work,
but stripping newlines or carriage returns, for example, may also corrupt
data in a way that you would not like. Similarly, other binary characters
that are not valid in base64 may need to be stripped to avoid causing
weird issues downstream, but that is, by definition, changing the output.

It may help if you better-define what you are trying to do. Going through
an intermediate format like LDIF if you intend to parse XML from the LDIF
isn't terrible, but base64-decoding in the LDIF doesn't make sense. Just
have whatever you are using read the base64 stuff and decode within its
memory before using the enclosed data, whether binary image data or XML or
something that just happens to have an extra space at the beginning or end
of the data.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAPSEARCH eDirectory Output File (mixed Base64)


Thank you for your answer.

I forgot to let you know my environment configuration.
I have SLES11 SP3 and what I need is create a report with the attributes
"nrfMemberOf, nrfAssignedRoles,nrfAssignedResources and
DirXML-EntitlementRef".
The broken lines are not the bigger problem, mas I really need to decode
the base64 values.
I have tried Apache LDAP Directory, but I got the same issue.

Regards,


--
emerson_infosys
------------------------------------------------------------------------
emerson_infosys's Profile: https://forums.netiq.com/member.php?userid=5308
View this thread: https://forums.netiq.com/showthread.php?t=51434

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAPSEARCH eDirectory Output File (mixed Base64)

emerson infosys wrote:

>
> Thank you for your answer.
>
> I forgot to let you know my environment configuration.
> I have SLES11 SP3 and what I need is create a report with the attributes
> "nrfMemberOf, nrfAssignedRoles,nrfAssignedResources and
> DirXML-EntitlementRef".
> The broken lines are not the bigger problem, mas I really need to decode
> the base64 values.
> I have tried Apache LDAP Directory, but I got the same issue.


These are IDM attributes and most require additional parsing even after they are base64 decoded.
Maybe the IDM reporting platform might be a better option? You might also get better results posting in the IDM related forums.

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAPSEARCH eDirectory Output File (mixed Base64)

On 07/30/2014 03:45 AM, emerson infosys wrote:
>
> I forgot to let you know my environment configuration.
> I have SLES11 SP3 and what I need is create a report with the attributes
> "nrfMemberOf, nrfAssignedRoles,nrfAssignedResources and
> DirXML-EntitlementRef".


A report? With the actual XMl attribute value? If you say so...

> The broken lines are not the bigger problem, mas I really need to decode
> the base64 values.


Decoding the values if you do not care about the file format is trivial;
all you need to do is look for lines that are base64-encoded and send the
base64-encoded stuff to the 'base64' command with the '-d' (decode)
option. You still have not mentioned the final end goal other than a
report, or the language to be used (so I'm guessing just the shell, which
should create some very ugly reports unless you plan to use other tools
too, which would all be good to know specifically and including a business
case along with it), but the 'base64' command is there by default on SLES
systems; even if not, there is base64-decoding functionality in the
openssl command if needed.

So since all you need is to decode stuff, try this out and it should work
perfectly in the absence of any other requirements:


ldapsearch -x -D 'cn=user,ou=context,o=goes,dc=here' -w 'passwordhere' |
sed -n '1 {h; $ !d}; ${x; s/\n //g; p}; /^ / {H; d}; /^ /! {x; s/\n //g;
p}' | awk '/^[^[:blank:]]+:: / {print $2}' | while read -r i; do echo -n
"${i}" | base64 -d; done


> I have tried Apache LDAP Directory, but I got the same issue.


Yes. LDAP, per RFC, basey64-encodes values that are not valid in the LDIF
format, or else the tools would all create invalid LDIF output which has
no use to anybody since it cannot be reliably parsed.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAPSEARCH eDirectory Output File (mixed Base64)


Thank you for your answer.

I got the error message "base64: invalid input" for the command line.

Any idea?

Thanks.


--
emerson_infosys
------------------------------------------------------------------------
emerson_infosys's Profile: https://forums.netiq.com/member.php?userid=5308
View this thread: https://forums.netiq.com/showthread.php?t=51434

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAPSEARCH eDirectory Output File (mixed Base64)

On 07/30/2014 02:10 PM, emerson infosys wrote:
>
> Thank you for your answer.
>
> I got the error message "base64: invalid input" for the command line.
>
> Any idea?


Well it worked for me so my guess is either it was corrupted getting from
me to you, or it was changed in some evil way when you put in your
username and password; at some rate, I'm betting something changed to make
the command unhappy. Try running 'set -x' and 'set -v' at the bash shell
and then try the command again to get better debugging. To undo these
changes use 'set +x' and 'set +v'. You should get lots of great debugging
information. Feel free to post it.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAPSEARCH eDirectory Output File (mixed Base64)


Some versions of ldapsearch allows for clear text data even when
base64-encoding is called for, as per RFC. However, I don't think any of
the openLDAP-based ldapsearch does that. If you REALLY must have it in
clear text format, you can try the ldapsearch gadget
(http://www.dreamlan.com/gadgets.html#ldapSearch) as it offers an option
to NOT base64-decode binary data (but would make the output LDIF file
useless for later input or use otherwise as an LDIF file) or have the
info decoded in the comment block associated with the binary data, when
possible.


--
--
-eDirectory Rules!-

Peter
www.DreamLAN.com
------------------------------------------------------------------------
peterkuo's Profile: https://forums.netiq.com/member.php?userid=170
View this thread: https://forums.netiq.com/showthread.php?t=51434

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAPSEARCH eDirectory Output File (mixed Base64)


Thank you for your answer.
Unfortunately I cannot buy any tool for that.


--
emerson_infosys
------------------------------------------------------------------------
emerson_infosys's Profile: https://forums.netiq.com/member.php?userid=5308
View this thread: https://forums.netiq.com/showthread.php?t=51434

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAPSEARCH eDirectory Output File (mixed Base64)


The feature to decode "in-line" for unlimited number of objects is a
freeware option within the ldapSearch Gadget.


--
--
-eDirectory Rules!-

Peter
www.DreamLAN.com
------------------------------------------------------------------------
peterkuo's Profile: https://forums.netiq.com/member.php?userid=170
View this thread: https://forums.netiq.com/showthread.php?t=51434

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAPSEARCH eDirectory Output File (mixed Base64)

I recommend writing a script with perl or shell to accomplish that.
Query all values with dirxml-entilementref and filter the ones you want
from the result.

You could use that script as a base for other operations as well.

I've done my own swiss army LDAP knife to handle eDirectories and ADs
and I could not live without it.


On 07/30/2014 12:45 PM, emerson infosys wrote:
>
> Thank you for your answer.
> Unfortunately I cannot buy any tool for that.
>
>


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.