This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
DumpEdirectoryPasswordInformationTool
DumpEdirectoryPasswordInformationTool

Version management

Difference between version and

At line 1 added 226 lines
!!!Dump Password Information Tool
version 200909061033\\
[Novell's eDirectory Passwords|EdirectoryPasswords] infrastructure can be difficult to figure out. We needed a tool to debug various password policy and user entries regarding passwords.
The Dump Password Information Tool performs the following:
* Dumps the user's Universal Password values
* Dumps the information regarding the users Universal Password
* Dumps the information regarding the users Simple Password
* Dumps the information regarding the users NDS Password as it relates to the Universal Password
* Provides additional information as to the account status
%%error
[Use Entirely at Your Own Risk|Standard Disclaimer]
[CISUS.COM] nor anyone else is responsible if you use a tool or any information on this site and causes damages to anyone or anything! [You are required to read Our Standard Disclaimer|Standard Disclaimer]
%%
!!!WARNING Exposed password values
This tool will Expose password values and may not be allowed by your organizations security policy or some of the many other [agencies that protect our Information|IDM Related Compliance Items].
!!! [WARNING TLS or SSL no keystore|Fake Trust Manager]
You MUST use SSL or TLS for this tool. However, SSL or TLS connections done with the Dump Password Information Tool will assume the SSL or TLS cert presented by the server is valid. No certificate Validation of the certificate presented by the LDAP server will be performed UNLESS you specify a KeyStore. We use our [Fake Trust Manager]
We assumed that most of the work being performed would be on internal network that were protected.
__You should not use this tool on an unsecured network; certainly specify a keystore if you do use a unsecured network.__
The security issue could be presented if you can not be certain that the LDAP server you are using is the real server and has not been spoofed or compromised by a man-in-the-middle attack.
!!! [Novell Cool Solutions Tool Listing|http://www.novell.com/communities/node/1290/password-information-tool|target='_blank']
Featured as a [Novell Cool Solutions Tool Listing|http://www.novell.com/communities/node/1290/password-information-tool|target='_blank']
!!! NEW Features
* A GUI can be used instead of the [command-line] version.
!!Counters
When NOT outputing to an LDIF file, counters for various entry information are gathered.
Typical output showing counters:
{{{
**** There were 394 total entries ****
Entries with valid Universal Passwords: 37
Entries Insufficient Rights to Read: 13
Entries Universal<>NDS Passwords: 349
Entries with SimplePassword: 0
Entries no Password Policy Assigned: 0
Entries Password does not meet current Policy: 0
Entries Login Disabled: 2
Entries Locked-By-Intruder: 1
Entries Login Expired: 1
Entries Expired Passwords: 1
Entries Not Yet Activated: 1
Entries Never Logged in: 356
}}}
Explanation for Counters:
* Entries with valid Universal Passwords -- Entries that we could read the Universal Password
* Entries Insufficient Rights to Read -- Entries where the account used to run the tool does not have sufficient rights to evaluate Universal Password
* Entries Universal<>NDS Passwords -- Entries where the Universal Password does NOT match the NDS Password
* Entries with SimplePassword -- Entries with [Simple Passwords|Simple Password]
* Entries no Password Policy Assigned -- Entries where there was no [password policy is assigned.|NspmPasswordPolicy]
* Entries Password does not meet current Policy -- Entries where the [password found, does not meet the current password policy|NspmPasswordPolicy] assigned to the entry
* Entries Login Disabled -- Entries where the Account is Administratively Disabled.
* Entries Locked-By-Intruder -- Entries where the account is [Locked-By-Intruder|Locked By Intruder]
* Entries Login Expired -- Entries where loginExpiationTime has been reached
* Entries Expired Passwords -- Entries where [passwordExpirationTime|Password Expiration] has been reached
* Entries Not Yet Activated -- Entries where loginActivationTime has NOT been reached
* Entries Never Logged in -- Entries which have never logged into Tree.
!! Cautions
%%warning
* The GUI output screen may loose lines from the top.
* The debug log file may contain password values.
* [WARNING TLS or SSL no keystore|Fake Trust Manager]
%%
!!!Typical Output
This is typical output for one entry when the -L (LDIF) is not specified:
{{{
dn: cn=geoffc,ou=people,dc=willeke,dc=com
Password: secretvalue
Does Current password meet password policy assigned to user? true
===> Password Status <===
==> Universal Password <==
Is UPwd Enabled: true
Is the UPwd history full: false
Does UPwd match NDSPwd: true
Does UPwd match SimplePwd: false
Is UPwd older than NDSPwd: false
==> Simple Password <==
Is Simple Password Set: false
Is Simple Password Clear Text: false
Does Simple Password match NDSPwd: false
==> Account Status <==
Is Entry Account Disabled: FALSE
Is Account Intruder Locked: FALSE
Login Time: 20090618002926Z
}}}
This is typical output to the LDIF file when the -L (LDIF) is specified:
{{{
# #########################################
# Warning! This is confidential information that MUST BE SECURED
# #########################################
dn: cn=geoffc,ou=people,dc=willeke,dc=com
changetype: modify
replace: LoginDisabled
LoginDisabled: FALSE
-
replace: LoginDisabled
LoginDisabled: FALSE
-
replace: loginTime
loginTime: 20090618002926Z
-
add: userpassword
userpassword: secretvalue
}}}
!!! Detailed Help
!![Dump Password Information Connections]
Detailed information on the GUI [Dump Password Information Connections] screen.
!![Dump Password Information Options]
Detailed information on the GUI [Dump Password Information Options] screen.
!![Dump Password Information Run]
Detailed information on the GUI [Dump Password Information Run] screen.
!![Dump Password Information Tool-Command Line Options]
Detailed information on the [Dump Password Information Tool-Command Line Options].
!![Dump Password Information Tool-Advanced Topics]
Some information on [Dump Password Information Tool-Advanced Topics]
!![Dump Password Information Tool-Logging]
How to change the [Dump Password Information Tool-Logging] features.
!![Dump Password Information Tool-Trouble Shooting]
What to do if you [have problems|Dump Password Information Tool-Trouble Shooting]
!!!Updates
We made some enhancements. Test it out and let [us know your results|mailto:info@ldapwiki.com?subject=(ldapwiki) Dump Password Information Tool]
!GUI
We implemented a GUI version. The GUI version works well with smaller runs of 5,000 or less entries. Due to Memory consumption issues when using the default settings when more entries are put to the screen, the command-line will work better.
!!Extra Account Information
We also added an option to obtain some additional account information.
{{{
-E If present, True Additional account information is provided - Default=false
}}}
This will add the following (typical):
If not using LDIF:
{{{
==> Account Status <==
Is Entry Account Disabled: FALSE
Is Account Intruder Locked FALSE
Account Login Time: 20070618221653Z
}}}
If using LDIF:
{{{
changetype: modify
replace: LoginDisabled
LoginDisabled: FALSE
-
replace: lockedByIntruder
lockedByIntruder: FALSE
-
replace: loginTime
loginTime: 20070618221653Z
}}}
* "Is Entry Account Disabled" shows the value of the "LoginDisabled" Attribute
* "Is Account Intruder Locked" shows ONLY the value of the "lockedByIntruder" attribute. __WARNING__: See [locked By Intruder] for details!
* "Account Login Time" shows the value of the "loginTime" attribute or "User has not Logged in to system"
!!LDIF File
Used with the -L option, we added the "-f" option so you can point provide a complete path (Include the file name) to an LDIF file.
{{{
-f Complete path to LDIF File for output - Default="dumppasswordinformation.ldif"
}}}
If the (-f) is not specified and the "-L" option is specified, we write to "dumppasswordinformation.ldif" in the current directory.
!!eDirectory Versions
We have tested against 8.7.3.x and 8.8.x with Universal Password properly configured. Let us know if you have issue.
!!Scopes
A SCOPE_SUB search is performed on all operations.
!!Known Issues
[Let us know.|mailto:info@ldapwiki.com?subject=(ldapwiki) Dump Password Information Tool]
!!!Thanks
Special thanks to Geoffrey Carman for all his advice, testing and documentation work he has done. He has been very helpful.
Also see his excellent articles on Cool Solutions:
* [Examples of Jim Willeke's Dump UP Tool|http://www.novell.com/communities/node/8445/examples-jim-willekes-dump-tool|target='_blank']
* [All of his many fine Articles|http://www.novell.com/communities/user/555/track|target='_blank']
Thanks to all others that helped along the way.
!![Standard Disclaimer|Standard Disclaimer]
!![Copyright And Intellectual Property Information|Copyright And Intellectual Property Page]
!![Java Versions And Running These Programs|Java Versions And Running Programs]
!! [Permissions to read Universal Password]
[Permissions to read Universal Password] shows how to assign permissions to [nspmPasswordPolicy] to be able to properly use the [{$pagename}]
!!![Download DumpPasswordInformation|dumpup.zip]
Un-zip into the directory of your choice and for GUI mode Run:
{{{
java -jar DumpPasswordInformation.jar
}}}
To run from Command Line see: [Dump Password Information Tool-Command Line Options]
!! C# and [Universal Password]
[{$applicationname}] put together some C# DOTNET code to be able to perform these functions and it is on [GitHub] at [https://github.com/jwilleke/identity-projects/tree/master/dotnet|https://github.com/jwilleke/identity-projects/tree/master/dotnet|target='_blank']
!!! [Cool Solutions|http://www.novell.com/communities/node/1290/password-information-tool|target='_blank']
This is one of the tools we have submitted to [Cool Solutions|http://www.novell.com/communities/node/1290/password-information-tool|target='_blank'].
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop