Cool Solutions

Obfuscated Password Options of the eDirectory Utilities, ndsconfig and ndscheck



By:

December 28, 2009 10:22 am

Reads:4,045

Comments:4

Score:3

Introduction:

Scriptability is one of the basic expected features from an enterprise software like eDirectory, especially the command line utilities so that they can be integrated with other tools.

In this article, we talk about enhancements made to a couple of eDirectory utilities in eDirectory 8.8.5 for better scriptability. The eDirectory configuration utility, ndsconfig and the health check utility, ndscheck were enhanced to support obfuscated password. These utilities have the command line option ‘-w <password>’ to pass the userDN password in clear text on the command line. On UNIX platforms, while the command is being executed with this option, the password can be read by anybody using the ‘ps’ command because the password is passed in clear text.

Refer to the screen shots below:

Enhancements:

With eDirectory 8.8.5, the following enhancements were made to improve the security by providing options to obfuscate the password and pass it through a file. This improves the security by making it difficult to crack the password.

Changes to ndscheck utility:

The ndscheck utility was enhanced to provide an option to generate the obfuscated password into a file. The new command line option ‘-O <obfuscated_passwd.txt>’ is provided to obfuscate and put the inputted password into a file. The password can be passed to ndscheck either with the command line option ‘-w <password>’ or through the password prompt.

Also ndscheck has been enhanced with another option ‘-W <obfuscated_passwd.txt>’ to accept the obfuscated password for the login user passed with the option ‘-a adminDN’.

The obfuscated password file would be created with read and write permission to owner only(600) on UNIX platforms. ndscheck being a cross platform utility, this feature is available on all platforms.

Command syntax:

ndscheck [-h hostname | ip] [-a admin FDN] [-w password] [-F log file] [--config-file path_to_nds.conf]
	ndscheck [ [-O <file_name>] | [-W <file_name>] ]
	

New options -

-O <file_name>   - Obfuscate the given password and store the result in <file_name>.
	-W <file_name>   - Use the obfuscated password from the <file_name> to login.

Changes to ndsconfig utility:

A new command line option ‘-W <obfuscated_passwd.txt>’ is added to ‘ndsconfig’ to accept an obfuscated password as input on command line for the userDN. Please note that the obfuscated password file needs to be generated using the ndscheck utility as described above.

Command syntax:

ndsconfig <new | add | upgrade | rm> [-t <treeName>] [-n <serverDN>] [-a <userDN>] [-w <password>]....

New options -

-W <file_name>   - Use the obfuscated password from the <file_name> to login.

Example:

Create an obfuscated password for the eDirectory admin using ndscheck.

# ndscheck -O $HOME/edir-pass.txt

Refer to the screen shot below:

To install and configure eDirectory, execute the following command

# ndsconfig new -t myTree -n o=myOrganisation -a cn=admin.o=myOrganisation -W $HOME/edir-pass.txt

Refer to the screen shots below:

To perform eDirectory health check, execute the following command

# ndscheck -h localhost -a admin.novell -W $HOME/edir-pass.txt

References:

  1. The man pages of ndscheck and ndsconfig utilities.
  2. eDirectory admin guide @ http://www.novell.com/documentation/edir88/edir88/?page=/documentation/edir88/edir88/data/ai0w1fp.html#ai0w1fp
2 votes, average: 3.00 out of 52 votes, average: 3.00 out of 52 votes, average: 3.00 out of 52 votes, average: 3.00 out of 52 votes, average: 3.00 out of 5 (2 votes, average: 3.00 out of 5)
You need to be a registered member to rate this post.
Loading ... Loading ...

Categories: Uncategorized

Disclaimer: This content is not supported by Novell. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

4 Comments

  1. By:zerfowski

    the -O and -W options are very helpful!
    Are there any plans to add the same options for ndsbackup too?
    I think many administrators would appreciate that.

  2. By:sashwin

    Administrators/customers can use the ndspassstore mechanism of storing password.
    Storing the password using ndspassstore is much more secured (nici is used) and easier way to handle the automation of ndsbackup.
    Here is the AppNote/Cool Solution link for the above,
    http://www.novell.com/communities/node/9561/secured-password-option-edirectory-utility-ndsbackup

  3. By:fcordes

    We updated to OES2 SP3 and this option does not work any more. No way to give the password in non clear text mode.

Comment

RSS