Dump Password Information Tool#
version 200909061033Novell's eDirectory Passwords infrastructure can be difficult to figure out. We needed a tool to debug various password policy and user entries regarding passwords.
The Dump Password Information Tool performs the following:
- Dumps the user's Universal Password values
- Dumps the information regarding the users Universal Password
- Dumps the information regarding the users Simple Password
- Dumps the information regarding the users NDS Password as it relates to the Universal Password
- Provides additional information as to the account status
Use Entirely at Your Own Risk
CISUS.COM nor anyone else is responsible if you use a tool or any information on this site and causes damages to anyone or anything! You are required to read Our Standard Disclaimer
WARNING Exposed password values#
This tool will Expose password values and may not be allowed by your organizations security policy or some of the many other agencies that protect our Information.WARNING TLS or SSL no keystore#
You MUST use SSL or TLS for this tool. However, SSL or TLS connections done with the Dump Password Information Tool will assume the SSL or TLS cert presented by the server is valid. No certificate Validation of the certificate presented by the LDAP server will be performed UNLESS you specify a KeyStore. We use our Fake Trust ManagerWe assumed that most of the work being performed would be on internal network that were protected.
You should not use this tool on an unsecured network; certainly specify a keystore if you do use a unsecured network.
The security issue could be presented if you can not be certain that the LDAP server you are using is the real server and has not been spoofed or compromised by a man-in-the-middle attack.
Novell Cool Solutions Tool Listing
#
Featured as a Novell Cool Solutions Tool Listing
NEW Features#
- A GUI can be used instead of the command-line version.
Counters#
When NOT outputing to an LDIF file, counters for various entry information are gathered.Typical output showing counters:
**** There were 394 total entries **** Entries with valid Universal Passwords: 37 Entries Insufficient Rights to Read: 13 Entries Universal<>NDS Passwords: 349 Entries with SimplePassword: 0 Entries no Password Policy Assigned: 0 Entries Password does not meet current Policy: 0 Entries Login Disabled: 2 Entries Locked-By-Intruder: 1 Entries Login Expired: 1 Entries Expired Passwords: 1 Entries Not Yet Activated: 1 Entries Never Logged in: 356
Explanation for Counters:
- Entries with valid Universal Passwords -- Entries that we could read the Universal Password
- Entries Insufficient Rights to Read -- Entries where the account used to run the tool does not have sufficient rights to evaluate Universal Password
- Entries Universal<>NDS Passwords -- Entries where the Universal Password does NOT match the NDS Password
- Entries with SimplePassword -- Entries with Simple Passwords
- Entries no Password Policy Assigned -- Entries where there was no password policy is assigned.
- Entries Password does not meet current Policy -- Entries where the password found, does not meet the current password policy assigned to the entry
- Entries Login Disabled -- Entries where the Account is Administratively Disabled.
- Entries Locked-By-Intruder -- Entries where the account is Locked-By-Intruder
- Entries Login Expired -- Entries where loginExpiationTime has been reached
- Entries Expired Passwords -- Entries where passwordExpirationTime has been reached
- Entries Not Yet Activated -- Entries where loginActivationTime has NOT been reached
- Entries Never Logged in -- Entries which have never logged into Tree.
Cautions#
- The GUI output screen may loose lines from the top.
- The debug log file may contain password values.
- WARNING TLS or SSL no keystore
Typical Output#
This is typical output for one entry when the -L (LDIF) is not specified:
dn: cn=geoffc,ou=people,dc=willeke,dc=com
Password: secretvalue
Does Current password meet password policy assigned to user? true
===> Password Status <===
==> Universal Password <==
Is UPwd Enabled: true
Is the UPwd history full: false
Does UPwd match NDSPwd: true
Does UPwd match SimplePwd: false
Is UPwd older than NDSPwd: false
==> Simple Password <==
Is Simple Password Set: false
Is Simple Password Clear Text: false
Does Simple Password match NDSPwd: false
==> Account Status <==
Is Entry Account Disabled: FALSE
Is Account Intruder Locked: FALSE
Login Time: 20090618002926Z
This is typical output to the LDIF file when the -L (LDIF) is specified:
# ######################################### # Warning! This is confidential information that MUST BE SECURED # ######################################### dn: cn=geoffc,ou=people,dc=willeke,dc=com changetype: modify replace: LoginDisabled LoginDisabled: FALSE - replace: LoginDisabled LoginDisabled: FALSE - replace: loginTime loginTime: 20090618002926Z - add: userpassword userpassword: secretvalue
Detailed Help#
Dump Password Information Connections#
Detailed information on the GUI Dump Password Information Connections screen.Dump Password Information Options#
Detailed information on the GUI Dump Password Information Options screen.Dump Password Information Run#
Detailed information on the GUI Dump Password Information Run screen.Dump Password Information Tool-Command Line Options#
Detailed information on the Dump Password Information Tool-Command Line Options.Dump Password Information Tool-Advanced Topics#
Some information on Dump Password Information Tool-Advanced TopicsDump Password Information Tool-Logging#
How to change the Dump Password Information Tool-Logging features.Dump Password Information Tool-Trouble Shooting#
What to do if you have problemsUpdates#
We made some enhancements. Test it out and let us know your results
GUI#
We implemented a GUI version. The GUI version works well with smaller runs of 5,000 or less entries. Due to Memory consumption issues when using the default settings when more entries are put to the screen, the command-line will work better.Extra Account Information#
We also added an option to obtain some additional account information.
-E If present, True Additional account information is provided - Default=false
This will add the following (typical): If not using LDIF:
==> Account Status <== Is Entry Account Disabled: FALSE Is Account Intruder Locked FALSE Account Login Time: 20070618221653ZIf using LDIF:
changetype: modify replace: LoginDisabled LoginDisabled: FALSE - replace: lockedByIntruder lockedByIntruder: FALSE - replace: loginTime loginTime: 20070618221653Z
- "Is Entry Account Disabled" shows the value of the "LoginDisabled" Attribute
- "Is Account Intruder Locked" shows ONLY the value of the "lockedByIntruder" attribute. WARNING: See locked By Intruder for details!
- "Account Login Time" shows the value of the "loginTime" attribute or "User has not Logged in to system"
LDIF File#
Used with the -L option, we added the "-f" option so you can point provide a complete path (Include the file name) to an LDIF file.-f Complete path to LDIF File for output - Default="dumppasswordinformation.ldif"If the (-f) is not specified and the "-L" option is specified, we write to "dumppasswordinformation.ldif" in the current directory.
eDirectory Versions#
We have tested against 8.7.3.x and 8.8.x with Universal Password properly configured. Let us know if you have issue.Scopes#
A SCOPE_SUB search is performed on all operations.Known Issues#
Let us know.
Thanks#
Special thanks to Geoffrey Carman for all his advice, testing and documentation work he has done. He has been very helpful.Also see his excellent articles on Cool Solutions:
Thanks to all others that helped along the way.
Standard Disclaimer#
Copyright And Intellectual Property Information#
Java Versions And Running These Programs#
Permissions to read Universal Password#
Permissions to read Universal Password shows how to assign permissions to nspmPasswordPolicy to be able to properly use the DumpEdirectoryPasswordInformationToolDownload DumpPasswordInformation#
Un-zip into the directory of your choice and for GUI mode Run:java -jar DumpPasswordInformation.jar
To run from Command Line see: Dump Password Information Tool-Command Line Options
C# and Universal Password#
LDAPWiki put together some C# DOTNET code to be able to perform these functions and it is on GitHub at https://github.com/jwilleke/identity-projects/tree/master/dotnet
Cool Solutions#
This is one of the tools we have submitted to Cool Solutions.
More Information#
There might be more information for this subject on one of the following:Please see our Copyright And Intellectual Property Page and Standard Disclaimer Pages!