how to audit passwords on the 389 Directory Server

as an admin, dump users and their passwords; from a host with connectivity to the ldap server, run the following. note that this method prompts for a password so that it will not be visible in process lists.

ldapsearch -x -D uid=anadminuser,ou=Users,example,dc=com -W -b 'ou=Users,dc=prod,dc=acxiom-online,dc=com' uid userPassword cn > ldap.users

the passwords will be base64 encoded. the following script will decode the passwords, and generate a _ password _ file for john the ripper. this script is based on the ldif2john script included with the john tarball. it cleans up the the output from ldapsearch (appends the wrapped = to the password, and base64 decodes the result) as it generates a password file.

#!/usr/bin/perl
use MIME::Base64;

$i=1;

while(<>) {
  chomp;
  if(/^$/) {
    if($object{"uid"} ne "") {
      print $object{"uid"}.":";
      print $object{"userPassword"} ne "" ? $object{"userPassword"} : "*";
      print ":";
      print $i.":";
      print $i.":";
      print $object{"cn"}.":";
      print "/";
      print ":/bin/sh\n";
    }
    %object = ();
    $i++;
    next;
  }

  ($lhs, $rhs) = split(/: /);
  if($lhs eq "userPassword") {
    $rhs = decode_base64($rhs."=");
  }
  $object{$lhs} = $rhs;
}
run as:
ldap2john < ldap.users > ldap.passwd
and finally:
john _options..._ ldap.passwd