Is it possible to generate an ldapsearch command from an LDAP request dissected by Wireshark or TShark?

asked 2022-05-30 00:26:05 +0000

pdragon gravatar image

updated 2022-05-30 06:35:54 +0000

Guy Harris gravatar image

I'm trying to configure LDAP authentication for an application we've installed (currently TLS is off for debugging):

  • It's not authenticating
  • The configuration page has terminology I don't understand
  • The error message it prints doesn't explain the problem very well

I'd like to reproduce the problem using equivalent ldapsearch commands, but trying to put together the arguments from the LDAP packet dissection is tedious and error-prone.

Is there a template for wireshark that will "just do it", printing something like this?

  ldapsearch -H ldap://1.2.3.4 -p 389 -D "$binddn" -w '$password' -b "$searchbase" \
        -s $scope "$other_options[@]" "$filter" "$attributes"

I attempted to do something in bash:

tcpdump -w d.pcap -i any port 389

tshark -r d.pcap -q -z follow,tcp,raw,0 2> /dev/null | gawk 'BEGIN{cmd="xxd -p -r"};NR>6 && !/^=/{print $1 | cmd;close(cmd)}' > d.bin

openssl asn1parse -inform DER -in d.bin | awk '.......'

But alas, awk is not up to the task.

Thanks!

edit retag flag offensive close merge delete
add a comment