I have inherited a number of EC2 instances with Centos that authenticate users against AWS Directory Service through LDAP. Now I need to run some manual queries with ldapsearch using the same account to debug some authentication problems. However the password is encrypted in the config, like this:
[sssd]
domains = LDAP
services = nss, pam
[domain/LDAP]
id_provider = ldap
cache_credentials = True
ldap_schema = AD
ldap_uri = ldaps://...
ldap_search_base = ...
ldap_default_bind_dn = ...
ldap_default_authtok = AAAQAB3QDeZ7+...cBSpT0ZABu4AAQID
ldap_default_authtok_type = obfuscated_password
Is there any way to decrypt / de-obfuscate the ldap_default_authtok? I don't want to change it in AD because it's being used on many servers.
I happened to write a small script that decrypts these passwords about a year ago.
Interestingly the SSS developers went to great lengths with the obfuscation algorithm, using AES-256 for example, yet in the end it's still easily decipherable because they bundle the randomly generated encryption key in the encoded string. Weird.
I put it on GitHub for you: https://github.com/mludvig/sss_deobfuscate
Usage is simple:
Hope that helps :)
@MLu's answer will get the job done but I'll add some commentary.
It's a shame the devs called the methods
encrypt()anddecrypt()since they do no such thing.If you look at the source for the python module (
src/python/pysss.c) there is apysss.password.decrypt()method but it is surrounded by#if 0..#endif. If those (and the corresponding#if 0..#endifaround the c-python linkage) are removed and the source is recompileddecrypt()can be called. E.g.:https://github.com/jteppinette/python-sssd-ldap-auth
I created a python package based on @MLu's work.
Install
Usage
CLI
Library