!!!Dump Password Information Tool
version 200909061033\\
[Novell's eDirectory Passwords|EdirectoryPasswords] infrastructure can be difficult to figure out. We needed a tool to debug various password policy and user entries regarding passwords.
The Dump Password Information Tool performs the following:
* Dumps the user's Universal Password values
* Dumps the information regarding the users Universal Password
* Dumps the information regarding the users Simple Password
* Dumps the information regarding the users NDS Password as it relates to the Universal Password
* Provides additional information as to the account status
!!!WARNING Exposed password values
This tool will Expose password values and may not be allowed by your organizations security policy or some of the many other [agencies that protect our Information|IDM Related Compliance Items].
!!!WARNING TLS
orand SSL no keystore
You MUST use SSL or TLS for this tool. However, SSL or TLS connections done with the Dump Password Information Tool will assume the SSL or TLS cert presented by the server is valid. No certificate Validation of the certificate presented by the LDAP server will be performed UNLESS you specify a KeyStore. We use our [Fake Trust Manager]
We assumed that most of the work being performed would be on internal network that were protected.
__You should not use this tool on an unsecured network; certainly specify a keystore if you do use a unsecured network.__
The security issue could be presented if you can not be certain that the LDAP server you are using is the real server and has not been spoofed or compromised by a man-in-the-middle attack.
!!! USE AT YOUR OWN RISK!
We or anyone else is responsible if you use this tool and it causes damages to anything.
[Standard Disclaimer|StandardDisclaimer]
!!!NEW Features
* A GUI can be used instead of the command-line version.
!!Counters
When NOT outputing to an LDIF file, counters for various entry information are gathered.
Typical output showing counters:
{{{
**** There were 394 total entries ****
Entries with valid Universal Passwords: 37
Entries Insufficient Rights to Read: 13
Entries Universal<>NDS Passwords: 349
Entries with SimplePassword: 0
Entries no Password Policy Assigned: 0
Entries Password does not meet current Policy: 0
Entries Login Disabled: 2
Entries Locked-By-Intruder: 1
Entries Login Expired: 1
Entries Expired Passwords: 1
Entries Not Yet Activated: 1
Entries Never Logged in: 356
}}}
Explanation for Counters:
* Entries with valid Universal Passwords -- Entries that we could read the Universal Password
Entries Insufficient Rights to Read -- Entries where the account used to run the tool does not have sufficient rights to evaluate Universal Password
Entries Universal<>NDS Passwords -- Entries where the Universal Password does NOT match the NDS Password
Entries with SimplePassword -- Entries with SimplePasswords
Entries no Password Policy Assigned -- Entries where not password policy is assigned.
Entries Password does not meet current Policy -- Entries where the password found, does not meet the current password policy assigned to the entry
Entries Login Disabled -- Entries where the Account is Administratively Disabled.
Entries Locked-By-Intruder -- Entries where the account is Locked-By-Intruder
Entries Login Expired -- Entries where loginExpiationTime has been reached
Entries Expired Passwords -- Entries where passwordExpirationTime has been reached
Entries Not Yet Activated -- Entries where loginActivationTime has NOT been reached
Entries Never Logged in -- Entries which have never logged into Tree.
!!Cautions
* The GUI output screen may loose lines from the top.
!!!Typical Output
This is typical output for one entry when the -L (LDIF) is not specified:
{{{
dn: cn=geoffc,ou=people,dc=willeke,dc=com
Password: secretvalue
Does Current password meet password policy assigned to user? true
===> Password Status <===
==> Universal Password <==
Is UPwd Enabled: true
Is the UPwd history full: false
Does UPwd match NDSPwd: true
Does UPwd match SimplePwd: false
Is UPwd older than NDSPwd: false
==> Simple Password <==
Is Simple Password Set: false
Is Simple Password Clear Text: false
Does Simple Password match NDSPwd: false
==> Account Status <==
Is Entry Account Disabled: FALSE
Is Account Intruder Locked: FALSE
Login Time: 20090618002926Z
}}}
This is typical output to the LDIF file when the -L (LDIF) is specified:
{{{
# #########################################
# Warning! This is confidential information that MUST BE SECURED
# #########################################
dn: cn=geoffc,ou=people,dc=willeke,dc=com
changetype: modify
replace: LoginDisabled
LoginDisabled: FALSE
-
replace: LoginDisabled
LoginDisabled: FALSE
-
replace: loginTime
loginTime: 20090618002926Z
-
add: userpassword
userpassword: secretvalue
}}}
!!! Detailed Help
!![Dump Password Information Connections]
!![Dump Password Information Options]
!![Dump Password Information Run]
!![Dump Password Information Tool-Command Line Options]
!![Dump Password Information Tool-Advanced Topics]
!![Dump Password Information Tool-Logging]
!![Dump Password Information Tool-Trouble Shooting]
!!!Updates
We made some enhancements. Test it out and let [us know your results|mailto:info@willeke?subject=(ldapwiki) Dump Password Information Tool]
!GUI
We implemented a GUI version. The GUI version works well with smaller runs of 5,000 or less entries. Due to Memory consumption issues when using the default settings when more entries are put to the screen, the command-line will work better.
!!Extra Account Information
We also added an option to obtain some additional account information.
{{{
-E If present, True Additional account information is provided - Default=false
}}}
This will add the following (typical):
If not using LDIF:
{{{
==> Account Status <==
Is Entry Account Disabled: FALSE
Is Account Intruder Locked FALSE
Account Login Time: 20070618221653Z
}}}
If using LDIF:
{{{
changetype: modify
replace: LoginDisabled
LoginDisabled: FALSE
-
replace: lockedByIntruder
lockedByIntruder: FALSE
-
replace: loginTime
loginTime: 20070618221653Z
}}}
* "Is Entry Account Disabled" shows the value of the "LoginDisabled" Attribute
* "Is Account Intruder Locked" shows ONLY the value of the "lockedByIntruder" attribute. __WARNING__: See [locked By Intruder] for details!
* "Account Login Time" shows the value of the "loginTime" attribute or "User has not Logged in to system"
!!LDIF File
Used with the -L option, we added the "-f" option so you can point provide a complete path (Include the file name) to an LDIF file.
{{{
-f Complete path to LDIF File for output - Default="dumppasswordinformation.ldif"
}}}
If the (-f) is not specified and the "-L" option is specified, we write to "dumppasswordinformation.ldif" in the current directory.
!!eDirectory Versions
We have tested against 8.7.3.x and 8.8.x with Universal Password properly configured. Let us know if you have issue.
!!Scopes
A SCOPE_SUB search is performed on all operations.
!!Known Issues
[Let us know.|mailto:info@willeke?subject=(ldapwiki) Dump Password Information Tool]
!!!Thanks
Special thanks to Geoffrey Carman for all his advice, testing and documentation work he has done. He has been very helpful.
Also see his excellent articles on Cool Solutions:
* [Examples of Jim Willeke's Dump UP Tool|http://www.novell.com/communities/node/8445/examples-jim-willekes-dump-tool]
* [All of his many fine Articles|http://www.novell.com/communities/user/555/track]
Thanks to all others that helped along the way.
!![Standard Disclaimer|StandardDisclaimer]
!![Copyright And Intellectual Property Information|CopyrightAndIntellectualPropertyPage]
!![Java Versions And Running These Programs|JavaVersionsAndRunningPrograms]
!!![Download DumpPasswordInformation|dumpup.zip]
Un-zip into the directory of your choice and for GUI mode Run:
{{{
java -jar DumpPasswordInformation.jar
}}}
To run from Command Line see: [Dump Password Information Tool-Command Line Options]