Dump Password Information Tool#version 200909061033
Novell's eDirectory Passwords infrastructure can be difficult to figure out. We needed a tool to debug various password policy and user entries regarding passwords.
The Dump Password Information Tool performs the following:
- Dumps the user's Universal Password values
- Dumps the information regarding the users Universal Password
- Dumps the information regarding the users Simple Password
- Dumps the information regarding the users NDS Password as it relates to the Universal Password
- Provides additional information as to the account status
WARNING Exposed password values#This tool will Expose password values and may not be allowed by your organizations security policy or some of the many other agencies that protect our Information. Fake Trust Manager
We assumed that most of the work being performed would be on internal network that were protected.
You should not use this tool on an unsecured network; certainly specify a keystore if you do use a unsecured network.
The security issue could be presented if you can not be certain that the LDAP server you are using is the real server and has not been spoofed or compromised by a man-in-the-middle attack.Novell Cool Solutions Tool Listing
- A GUI can be used instead of the command-line version.
Counters#When NOT outputing to an LDIF file, counters for various entry information are gathered.
Typical output showing counters:
**** There were 394 total entries **** Entries with valid Universal Passwords: 37 Entries Insufficient Rights to Read: 13 Entries Universal<>NDS Passwords: 349 Entries with SimplePassword: 0 Entries no Password Policy Assigned: 0 Entries Password does not meet current Policy: 0 Entries Login Disabled: 2 Entries Locked-By-Intruder: 1 Entries Login Expired: 1 Entries Expired Passwords: 1 Entries Not Yet Activated: 1 Entries Never Logged in: 356
Explanation for Counters:
- Entries with valid Universal Passwords -- Entries that we could read the Universal Password
- Entries Insufficient Rights to Read -- Entries where the account used to run the tool does not have sufficient rights to evaluate Universal Password
- Entries Universal<>NDS Passwords -- Entries where the Universal Password does NOT match the NDS Password
- Entries with SimplePassword -- Entries with Simple Passwords
- Entries no Password Policy Assigned -- Entries where there was no password policy is assigned.
- Entries Password does not meet current Policy -- Entries where the password found, does not meet the current password policy assigned to the entry
- Entries Login Disabled -- Entries where the Account is Administratively Disabled.
- Entries Locked-By-Intruder -- Entries where the account is Locked-By-Intruder
- Entries Login Expired -- Entries where loginExpiationTime has been reached
- Entries Expired Passwords -- Entries where passwordExpirationTime has been reached
- Entries Not Yet Activated -- Entries where loginActivationTime has NOT been reached
- Entries Never Logged in -- Entries which have never logged into Tree.
- The GUI output screen may loose lines from the top.
- The debug log file may contain password values.
- WARNING TLS or SSL no keystore
Typical Output#This is typical output for one entry when the -L (LDIF) is not specified:
dn: cn=geoffc,ou=people,dc=willeke,dc=com Password: secretvalue Does Current password meet password policy assigned to user? true ===> Password Status <=== ==> Universal Password <== Is UPwd Enabled: true Is the UPwd history full: false Does UPwd match NDSPwd: true Does UPwd match SimplePwd: false Is UPwd older than NDSPwd: false ==> Simple Password <== Is Simple Password Set: false Is Simple Password Clear Text: false Does Simple Password match NDSPwd: false ==> Account Status <== Is Entry Account Disabled: FALSE Is Account Intruder Locked: FALSE Login Time: 20090618002926Z
This is typical output to the LDIF file when the -L (LDIF) is specified:
# ######################################### # Warning! This is confidential information that MUST BE SECURED # ######################################### dn: cn=geoffc,ou=people,dc=willeke,dc=com changetype: modify replace: LoginDisabled LoginDisabled: FALSE - replace: LoginDisabled LoginDisabled: FALSE - replace: loginTime loginTime: 20090618002926Z - add: userpassword userpassword: secretvalue
Detailed Help#Dump Password Information Connections screen. Dump Password Information Options screen. Dump Password Information Run screen. Dump Password Information Tool-Command Line Options. Dump Password Information Tool-Advanced Topics Dump Password Information Tool-Logging features. have problems
Updates#We made some enhancements. Test it out and let us know your results
GUI#We implemented a GUI version. The GUI version works well with smaller runs of 5,000 or less entries. Due to Memory consumption issues when using the default settings when more entries are put to the screen, the command-line will work better.
Extra Account Information#We also added an option to obtain some additional account information.
-E If present, True Additional account information is provided - Default=false
This will add the following (typical): If not using LDIF:
==> Account Status <== Is Entry Account Disabled: FALSE Is Account Intruder Locked FALSE Account Login Time: 20070618221653ZIf using LDIF:
changetype: modify replace: LoginDisabled LoginDisabled: FALSE - replace: lockedByIntruder lockedByIntruder: FALSE - replace: loginTime loginTime: 20070618221653Z
- "Is Entry Account Disabled" shows the value of the "LoginDisabled" Attribute
- "Is Account Intruder Locked" shows ONLY the value of the "lockedByIntruder" attribute. WARNING: See locked By Intruder for details!
- "Account Login Time" shows the value of the "loginTime" attribute or "User has not Logged in to system"
LDIF File#Used with the -L option, we added the "-f" option so you can point provide a complete path (Include the file name) to an LDIF file.
-f Complete path to LDIF File for output - Default="dumppasswordinformation.ldif"If the (-f) is not specified and the "-L" option is specified, we write to "dumppasswordinformation.ldif" in the current directory.
eDirectory Versions#We have tested against 8.7.3.x and 8.8.x with Universal Password properly configured. Let us know if you have issue.
Scopes#A SCOPE_SUB search is performed on all operations.
Known Issues#Let us know.
Thanks#Special thanks to Geoffrey Carman for all his advice, testing and documentation work he has done. He has been very helpful.
Also see his excellent articles on Cool Solutions:
Thanks to all others that helped along the way.Permissions to read Universal Password shows how to assign permissions to nspmPasswordPolicy to be able to properly use the DumpEdirectoryPasswordInformationTool
java -jar DumpPasswordInformation.jar
To run from Command Line see: Dump Password Information Tool-Command Line OptionsCool Solutions.