SDIDIG#SDIDiag allows an administrator to view and perform diagnostic functions for the Security Domain Infrastructure keys within a tree and to ensure that all servers are synchronized with constant keys.
SDIDIG is provided as SDIDIAG.NLM for Netware and SDIDIAG.EXE which can be run from Windows against any other platform. There is also a rpm for Linux, but we could only find one for 32-bit systems. (didiag-2-2.i586.rpm)
SDIDiag is the Security Domain Infrastructure Diagnostic and repair utility. SDIDiag allows an administrator to view the various keys within a tree and to ensure that all servers are synchronized with constant keys.
By default SDIDiag 2.2 references only servers running eDirectory version 8.7.1 or later. To have SDIDiag 2.2 reference servers prior to eDirectory version 8.7.1 it is necessary to use the -A switch.
SDIDiag 2.2 has been tested and works with the eDirectory versions: eDirectory: 8.8 and 8.7.3
Universal Password has issues if the Keys are not at LEAST 168 bits. Using SDIDIAG and the LK (List Keys) command will show the strength of the Security Domain Key.
Server : .SERVERA.NOVELL.ACME-TREE. Tree : ACME-TREE User Name (Full DN): admin.novell Password : ******* SDIDIAG> LK Displaying keys in domain W0, object .W0.KAP.Security.WILLEKE.COM.WILLEKETREE Displaying keys on .DWN.SRV.CSU.WILLEKE.COM.WILLEKETREE Server : .DNW1.SRV.CSU.WILLEKE.COM.WILLEKETREE SDKey : 1 Object Class : Secret Key Key Size : 168 bits Key Usage : 0x4400C0 Key Format : DES-EDE3-CBC-IV8 Key Id : 5C 2F 5F 19 4E F3 6E 51 43 E1 5F 0B 93 69 3D A7 Validity : Sun Jun 27 16:36:27 2005 - Sun Feb 03 23:59:00 2036 SDKey : 2 (Revoked) Object Class : Secret Key Key Size : 168 bits Key Usage : 0x400080 Key Format : DES-EDE3-CBC-IV8 Key Id : 47 D7 AA 81 D9 AC 3F 84 20 98 AA 14 7E 5C F9 D3 Validity : Sun Mar 04 18:56:17 2005 - Sun Feb 03 23:59:00 2036 SDKey : 3 (Revoked) Object Class : Secret Key Key Size : 56 bits Key Usage : 0x400080 Key Format : DES-CBC-IV8 Key Id : 40 27 67 21 CA AB 76 18 43 1D 92 05 5C 69 8E AC Validity : Sun Jan 01 23:59:00 1998 - Sun Feb 03 23:59:00 2036 SDIDIAG>
- If the TREE and ORGANIZATION names are the same (ie. Tree name is NOVELL and Organization is NOVELL) you need to specify the whole Full DN, including the TREE NAME or will get errors when trying to get authenticated. So, in this case it would be :
User Name (Full DN): admin.novell.NOVELL
SDIDIAG> LK -O C:\LIST.TXT#This will show the list of keys for all the servers in the W0 object and send this information to the C:\LIST.TXT file. Another way to gather this information is to open Console One and go to the W0 object in the Security Container. Select the "Other" tab on the W0 object and view the values of the "NDSPKI:SD Key Server DN" attribute.
SDIDIAG> FS -A -O C:\SERVER.TXT#This will create a file on the local workstation called SERVER.TXT which will hold a list of all servers in the tree. The "-A" switch will mean that SDIDiag will access servers regardless of their eDir or NICI versions. This will be necessary if you have some servers which are not running eDirectory 8.7.1 or later and you still wish to see which keys are on each of the servers.
SDIDIAG> LK -I C:\SERVER.TXT -O C:\PROCESS.TXT#This will show a list of all the servers in the tree and their SDI key(s)
Review the output#Look at the PROCESS.TXT files.
- Are there any errors in this file?
- Do all servers have the same keys?
More Information#There might be more information for this subject on one of the following:
[#1] - http://www.novell.com/support/kb/doc.php?id=3455150 2012-09-13