Article

(View Disclaimer)

Introduction:

Scriptability is one of the basic expected features from an enterprise software like eDirectory, especially the command line utilities so that they can be integrated with other tools.

In this article, we talk about enhancements made to a couple of eDirectory utilities in eDirectory 8.8.5 for better scriptability. The eDirectory configuration utility, ndsconfig and the health check utility, ndscheck were enhanced to support obfuscated password. These utilities have the command line option '-w <password>' to pass the userDN password in clear text on the command line. On UNIX platforms, while the command is being executed with this option, the password can be read by anybody using the 'ps' command because the password is passed in clear text.

Refer to the screen shots below:

Click to view.

Click to view.

Enhancements:

With eDirectory 8.8.5, the following enhancements were made to improve the security by providing options to obfuscate the password and pass it through a file. This improves the security by making it difficult to crack the password.

Changes to ndscheck utility:

The ndscheck utility was enhanced to provide an option to generate the obfuscated password into a file. The new command line option '-O <obfuscated_passwd.txt>' is provided to obfuscate and put the inputted password into a file. The password can be passed to ndscheck either with the command line option '-w <password>' or through the password prompt.

Also ndscheck has been enhanced with another option '-W <obfuscated_passwd.txt>' to accept the obfuscated password for the login user passed with the option '-a adminDN'.

The obfuscated password file would be created with read and write permission to owner only(600) on UNIX platforms. ndscheck being a cross platform utility, this feature is available on all platforms.

Command syntax:

ndscheck [-h hostname | ip] [-a admin FDN] [-w password] [-F log file] [--config-file path_to_nds.conf]
	ndscheck [ [-O <file_name>] | [-W <file_name>] ]
	

New options -

-O <file_name>   - Obfuscate the given password and store the result in <file_name>.
	-W <file_name>   - Use the obfuscated password from the <file_name> to login.

Changes to ndsconfig utility:

A new command line option '-W <obfuscated_passwd.txt>' is added to 'ndsconfig' to accept an obfuscated password as input on command line for the userDN. Please note that the obfuscated password file needs to be generated using the ndscheck utility as described above.

Command syntax:

ndsconfig <new | add | upgrade | rm> [-t <treeName>] [-n <serverDN>] [-a <userDN>] [-w <password>]....

New options -

-W <file_name>   - Use the obfuscated password from the <file_name> to login.

Example:

Create an obfuscated password for the eDirectory admin using ndscheck.

# ndscheck -O $HOME/edir-pass.txt

Refer to the screen shot below:

Click to view.

To install and configure eDirectory, execute the following command

# ndsconfig new -t myTree -n o=myOrganisation -a cn=admin.o=myOrganisation -W $HOME/edir-pass.txt

Refer to the screen shots below:

Click to view.

Click to view.

To perform eDirectory health check, execute the following command

# ndscheck -h localhost -a admin.novell -W $HOME/edir-pass.txt

References:

1. The man pages of ndscheck and ndsconfig utilities.
2. eDirectory admin guide @ http://www.novell.com/documentation/edir88/edir88/?page=/documentation/edir88/edir88/data/ai0w1fp.html#ai0w1fp

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.