Dump Password Information Tool#

version 200909061033
Novell's eDirectory Passwords infrastructure can be difficult to figure out. We needed a tool to debug various password policy and user entries regarding passwords.

The Dump Password Information Tool performs the following:

  • Dumps the user's Universal Password values
  • Dumps the information regarding the users Universal Password
  • Dumps the information regarding the users Simple Password
  • Dumps the information regarding the users NDS Password as it relates to the Universal Password
  • Provides additional information as to the account status
Use Entirely at Your Own Risk Services.willeke.biz nor anyone else is responsible if you use a tool or any information on this site and causes damages to anyone or anything! You are required to read Our Standard Disclaimer

WARNING Exposed password values#

This tool will Expose password values and may not be allowed by your organizations security policy or some of the many other agencies that protect our Information.

WARNING TLS or SSL no keystore#

You MUST use SSL or TLS for this tool. However, SSL or TLS connections done with the Dump Password Information Tool will assume the SSL or TLS cert presented by the server is valid. No certificate Validation of the certificate presented by the LDAP server will be performed UNLESS you specify a KeyStore. We use our Fake Trust Manager

We assumed that most of the work being performed would be on internal network that were protected.

You should not use this tool on an unsecured network; certainly specify a keystore if you do use a unsecured network.

The security issue could be presented if you can not be certain that the LDAP server you are using is the real server and has not been spoofed or compromised by a man-in-the-middle attack.

Novell Cool Solutions Tool Listing#

Featured as a Novell Cool Solutions Tool Listing

NEW Features#


When NOT outputing to an LDIF file, counters for various entry information are gathered.

Typical output showing counters:

**** There were 394 total entries ****
   Entries with valid Universal Passwords: 37
   Entries Insufficient Rights to Read: 13
   Entries Universal<>NDS Passwords: 349
   Entries with SimplePassword: 0
   Entries no Password Policy Assigned: 0
   Entries Password does not meet current Policy: 0
   Entries Login Disabled: 2
   Entries Locked-By-Intruder: 1
   Entries Login Expired: 1
   Entries Expired Passwords: 1
   Entries Not Yet Activated: 1
   Entries Never Logged in: 356

Explanation for Counters:

  • Entries with valid Universal Passwords -- Entries that we could read the Universal Password
  • Entries Insufficient Rights to Read -- Entries where the account used to run the tool does not have sufficient rights to evaluate Universal Password
  • Entries Universal<>NDS Passwords -- Entries where the Universal Password does NOT match the NDS Password
  • Entries with SimplePassword -- Entries with Simple Passwords
  • Entries no Password Policy Assigned -- Entries where there was no password policy is assigned.
  • Entries Password does not meet current Policy -- Entries where the password found, does not meet the current password policy assigned to the entry
  • Entries Login Disabled -- Entries where the Account is Administratively Disabled.
  • Entries Locked-By-Intruder -- Entries where the account is Locked-By-Intruder
  • Entries Login Expired -- Entries where loginExpiationTime has been reached
  • Entries Expired Passwords -- Entries where passwordExpirationTime has been reached
  • Entries Not Yet Activated -- Entries where loginActivationTime has NOT been reached
  • Entries Never Logged in -- Entries which have never logged into Tree.


Typical Output#

This is typical output for one entry when the -L (LDIF) is not specified:
dn: cn=geoffc,ou=people,dc=willeke,dc=com
   Password: secretvalue
   Does Current password meet password policy assigned to user? true
   ===> Password Status <===
   ==> Universal Password <==
      Is UPwd Enabled:  true
      Is the UPwd history full:  false
      Does UPwd match NDSPwd:  true
      Does UPwd match SimplePwd:  false
      Is UPwd older than NDSPwd:  false
   ==> Simple Password <==
      Is Simple Password Set:  false
      Is Simple Password Clear Text:  false
      Does Simple Password match NDSPwd:  false
   ==> Account Status <==
      Is Entry Account Disabled: FALSE
      Is Account Intruder Locked: FALSE
      Login Time: 20090618002926Z

This is typical output to the LDIF file when the -L (LDIF) is specified:

#  #########################################
#  Warning!  This is confidential information that MUST BE SECURED
#  #########################################
dn: cn=geoffc,ou=people,dc=willeke,dc=com
changetype: modify
replace: LoginDisabled
LoginDisabled: FALSE
replace: LoginDisabled
LoginDisabled: FALSE
replace: loginTime
loginTime: 20090618002926Z
add: userpassword
userpassword: secretvalue

Detailed Help#

Dump Password Information Connections#

Detailed information on the GUI Dump Password Information Connections screen.

Dump Password Information Options#

Detailed information on the GUI Dump Password Information Options screen.

Dump Password Information Run#

Detailed information on the GUI Dump Password Information Run screen.

Dump Password Information Tool-Command Line Options#

Detailed information on the Dump Password Information Tool-Command Line Options.

Dump Password Information Tool-Advanced Topics#

Some information on Dump Password Information Tool-Advanced Topics

Dump Password Information Tool-Logging#

How to change the Dump Password Information Tool-Logging features.

Dump Password Information Tool-Trouble Shooting#

What to do if you have problems


We made some enhancements. Test it out and let us know your results


We implemented a GUI version. The GUI version works well with smaller runs of 5,000 or less entries. Due to Memory consumption issues when using the default settings when more entries are put to the screen, the command-line will work better.

Extra Account Information#

We also added an option to obtain some additional account information.
    -E    If present, True Additional account information is provided - Default=false

This will add the following (typical): If not using LDIF:

   ==> Account Status <==
	Is Entry Account Disabled:  FALSE
	Is Account Intruder Locked  FALSE
	Account Login Time:  20070618221653Z
If using LDIF:
   changetype: modify
   replace: LoginDisabled
   LoginDisabled: FALSE
   replace: lockedByIntruder
   lockedByIntruder: FALSE
   replace: loginTime
   loginTime: 20070618221653Z
  • "Is Entry Account Disabled" shows the value of the "LoginDisabled" Attribute
  • "Is Account Intruder Locked" shows ONLY the value of the "lockedByIntruder" attribute. WARNING: See locked By Intruder for details!
  • "Account Login Time" shows the value of the "loginTime" attribute or "User has not Logged in to system"

LDIF File#

Used with the -L option, we added the "-f" option so you can point provide a complete path (Include the file name) to an LDIF file.
   -f    Complete path to LDIF File for output - Default="dumppasswordinformation.ldif"
If the (-f) is not specified and the "-L" option is specified, we write to "dumppasswordinformation.ldif" in the current directory.

eDirectory Versions#

We have tested against 8.7.3.x and 8.8.x with Universal Password properly configured. Let us know if you have issue.


A SCOPE_SUB search is performed on all operations.

Known Issues#

Let us know.


Special thanks to Geoffrey Carman for all his advice, testing and documentation work he has done. He has been very helpful.

Also see his excellent articles on Cool Solutions:

Thanks to all others that helped along the way.

Standard Disclaimer#

Copyright And Intellectual Property Information#

Java Versions And Running These Programs#

Permissions to read Universal Password#

Permissions to read Universal Password shows how to assign permissions to nspmPasswordPolicy to be able to properly use the DumpEdirectoryPasswordInformationTool

Download DumpPasswordInformation(info)#

Un-zip into the directory of your choice and for GUI mode Run:
   java -jar DumpPasswordInformation.jar

To run from Command Line see: Dump Password Information Tool-Command Line Options

C# and Universal Password#

Ldapwiki put together some C# DOTNET code to be able to perform these functions and it is on GitHub at https://github.com/jwilleke/identity-projects/tree/master/dotnet

Cool Solutions#

This is one of the tools we have submitted to Cool Solutions.

More Information#

There might be more information for this subject on one of the following: