Delimited Text Driver for Exporting Passwords from eDirectory to a File
Novell Cool Solutions: Feature
By Aaron Burgemeister
Digg This -
Posted: 7 Feb 2007
Note: Please read the following disclaimer paragraphs before you use this solution.
"Setting up this driver may be against your organization's security policy. Having passwords exported in a cleartext form means that the difficulty for somebody to steal that file AND get passwords drops significantly. eDirectory and its corresponding applications all encrypt passwords whenever they are stored with industry-standard encryption. This driver configuration has no such protection built in, though adding it could be an option. Do not use this driver unless you are sure of what you are doing and what your organization will do to you for doing it."
"Also, this driver cannot be used unless it has admin rights, so use of this driver assumes you either gave the driver rights or managed to get an admin to do so. Passwords cannot be randomly exported by users who happen to be able to create a driver, any more than a random user can get passwords via any other mechanism. Most tools that interact with eDirectory cannot get the password regardless of rights, but a combination of rights and IDM provides this functionality. IDM cannot be installed without admin rights to the server installed, and a server cannot be installed without admin rights to a tree."
Delimited Text Driver
The attached file is for a Delimited Text driver to export passwords from eDirectory to a file. The export takes place as users change their passwords (if the driver is running at the time, otherwise as soon as the driver is running again) or whenever a migrate of the user objects takes place. Requirements for this driver include using Universal Password for the user object and having the Distribution Password set properly in eDirectory.
Using the Driver
The steps to use this driver are as follows:
1. Import driver configuration into a new driver object.
2. Give the driver rights to see passwords (admin rights) to any objects which should be exported.
3. Reconfigure the input/output path of the CSV files created by the driver. These will be placed on the server where the driver shim is running. Using absolute paths will cause the least confusion.
4. Start the driver.
5. Change a user's password to a new value or migrate the user through the driver.
A new file should show up on the server where the driver shim is located, with the CN and Password in a comma-separated format. In cases where the password includes a comma, the entire password value will be wrapped with double-quotes.
If non-unique CNs will exist in the output, it may be desirable to add the DN of the user or some other unique attribute in order to know exactly which user is being reported.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com