NOVELL TECHNICAL INFORMATION DOCUMENT TITLE: Universal Password Diagnostic Utility TID #: 2970885 README FOR: diagpwd1.exe NOVELL PRODUCTS and VERSIONS: eDirectory 8.7.3 Universal Password - SECWNN Universal Password - SECUN ABSTRACT: Diagpwd.exe is the Universal Password Diagnostic utility. Diagpwd.exe is a windows command line utility that can be used against a NetWare, Linux, Windows, Solaris, AIX, and HPUX server running NMAS 2.3.6 (23600411.30 - November 30,2004) or later. DIAGPWD allows an administrator to view what Universal Password Policy is associated to a user and whether the Simple, NDS and Universal Passwords are synced. ----------------------------------------------------------------- DISCLAIMER THE ORIGIN OF THIS INFORMATION MAY BE INTERNAL OR EXTERNAL TO NOVELL. NOVELL MAKES ALL REASONABLE EFFORTS TO VERIFY THIS INFORMATION. HOWEVER, THE INFORMATION PROVIDED IN THIS DOCUMENT IS FOR YOUR INFORMATION ONLY. NOVELL MAKES NO EXPLICIT OR IMPLIED CLAIMS TO THE VALIDITY OF THIS INFORMATION. ----------------------------------------------------------------- INSTALLATION INSTRUCTIONS: DIAGPWD is installed by extracting DIAGPWD1.EXE to a Windows workstation directory, for example, C:\temp\diagpwd. DIAGPWD will then be run from that location. DIAGPWD Usage: Open a command prompt, Start | Run | Cmd | change to the location of diagpwd, then type diagpwd, along with the parameters below. diagpwd usage: [] Note: You may also pipe the output to a file by using the >filename.txt option, if the password is supplied inline. : IP address of the target LDAP server : The LDAP Secure port (SSL) of the target LDAP server (typically 636) : DER encoded file of the Trusted Root Certificate for the target LDAP server See section below on "Exporting SSL Certificate to a DER file" : LDAP DN that specifies a container or an object. If this parameter is a container DN then the Password status will be shown for all objects in that container and subordinate containers (depending on scope value selected). If this parameter is a user then the Password status will be shown for the user. : Values may be base, one or sub. : The LDAP DN of the administrator (in comma format) that is requesting the operation. (example: cn=admin,o=novell ) []: The password of the administrator specified by the parameter. Note that this parameter is optional. If it is not included on the command line the user will be prompted for it. Exporting SSL Certificate to a DER file In iManager: iManager | eDirectory Administration | Modify Object | Browse to the Organizational CA object in the Security Container | OK | Select the Self Signed Certificate tab | Export | Answer "No" to Do you want to export the private key with the certificate? | Next | Select an output format - "File in binary DER format" | Next | Click "Save the exported certificate to a file" and save to the desired location. | Verify the file is in the format of certificate.der, if it is not in this format, please rename the file adding a .der ending. In ConsoleOne: ConsoleOne | Browse to the Certificate Authority (CA) object, found in the cn=Security container | Open CA object | Select the Certificates tab -> Self Signed Certificate | Select Export | Answer "No" to Do you want to export the private key with the certificate? | Next | name the file, such as c:\RootCert.der| Next | Finish Output of Diagpwd.exe: The output will first display the user(s) and their password status, followed by the Password Policies for the tree. Explanation of Output: In the output, there are two password statuses listed. They are "Password Status" and "Simple Password Status". If Universal Password is enabled for the user, the "Password Status" will state "Enabled". If the Universal Password is set, it will display "Set". If the Simple Password is not in sync with the NDS and Universal Password, it will display !=NDS. Examples: Password Status: Enabled, Set Simple Password Status: Set Password Status: Universal Password disabled Simple Password Status: Set, Simple != NDS Search Examples: Base Search example (searches only base object specified in searchBase) D:\>diagpwd 137.65.215.51 636 D:\utah.der cn=bberger,o=novell base cn=admin,o=novell Password: ***** ********************************************************************** Object DN: cn=bberger,o=novell EMail: bberger@novell.com Password Status: Enabled, Set Simple Password Status: Set Password Policy DN: cn=Universal Password Enabled,cn=Password Policies,cn=Security ********************************************************************* Password Policy DN: cn=Universal Password Selected User Disable,cn=Password Policies,cn=Security Options: 0x254 (596) Universal Password disabled Advanced policy enabled Sync NDS Sync Simple disabled Synch external User readable Not admin readable Password Policy DN: cn=Universal Password Enabled,cn=Password Policies,cn=Security Options: 0x350 (848) Universal Password enabled Advanced policy enabled Sync NDS Sync Simple Synch external User readable Not admin readable ********************************************************************* One Level Search Example: (searches one level down from searchBase) D:\>diagpwd 137.65.215.51 636 D:\utah.der o=novell one cn=admin,o=novell Password: ****** ********************************************************************* Object DN: cn=admin,o=novell EMail: [NONE] Password Status: Enabled, Set Simple Password Status: Set Password Policy DN: cn=Universal Password Enabled,cn=Password Policies,cn=Security Object DN: cn=kfenn,o=novell EMail: kfenn@novell.com Password Status: Universal Password disabled Simple Password Status: Set, Simple != NDS Password Policy DN: cn=Universal Password Selected User Disable,cn=Password Policies,cn=Security Object DN: cn=bberger,o=novell EMail: bberger@novell.com Password Status: Enabled, Set Simple Password Status: Set Password Policy DN: cn=Universal Password Enabled,cn=Password Policies,cn=Security Object DN: cn=deni,o=novell EMail: [NONE] Password Status: Universal Password disabled Simple Password Status: Not set Password Policy DN: cn=Universal Password Selected User Disable,cn=Password Policies,cn=Security Object DN: cn=jspencer,o=novell EMail: [NONE] Password Status: Enabled, Set Simple Password Status: Set Password Policy DN: cn=Universal Password Enabled,cn=Password Policies,cn=Security ********************************************************************* Password Policy DN: cn=Universal Password Selected User Disable,cn=Password Policies,cn=Security Options: 0x254 (596) Universal Password disabled Advanced policy enabled Sync NDS Sync Simple disabled Synch external User readable Not admin readable Password Policy DN: cn=Universal Password Enabled,cn=Password Policies,cn=Security Options: 0x350 (848) Universal Password enabled Advanced policy enabled Sync NDS Sync Simple Synch external User readable Not admin readable ********************************************************************* Sub Tree Search Example: (Caution sub tree searches may cause high utilization) D:\>diagpwd 137.65.215.51 636 d:\utah.der o=novell sub cn=admin,o=novell Password: ***** ********************************************************************** Object DN: cn=admin,o=novell EMail: [NONE] Password Status: Enabled, Set Simple Password Status: Set Password Policy DN: cn=Universal Password Enabled,cn=Password Policies,cn=Security Object DN: cn=kfenn,o=novell EMail: kfenn@novell.com Password Status: Universal Password disabled Simple Password Status: Set, Simple != NDS Password Policy DN: cn=Universal Password Selected User Disable,cn=Password Policies,cn=Security Object DN: cn=bberger,o=novell EMail: bberger@novell.com Password Status: Enabled, Set Simple Password Status: Set Password Policy DN: cn=Universal Password Enabled,cn=Password Policies,cn=Security Object DN: cn=deni,o=novell EMail: [NONE] Password Status: Universal Password disabled Simple Password Status: Not set Password Policy DN: cn=Universal Password Selected User Disable,cn=Password Policies,cn=Security Object DN: cn=jspencer,o=novell EMail: [NONE] Password Status: Enabled, Set Simple Password Status: Set Password Policy DN: cn=Universal Password Enabled,cn=Password Policies,cn=Security Object DN: cn=test1,ou=UP,o=novell EMail: [NONE] Password Status: Enabled, Set Simple Password Status: Set Password Policy DN: cn=Universal Password Enabled,cn=Password Policies,cn=Security Object DN: cn=test2,ou=UP,o=novell EMail: [NONE] Password Status: Enabled, Not set Simple Password Status: Not set Password Policy DN: cn=Universal Password Enabled,cn=Password Policies,cn=Security ********************************************************************* Password Policy DN: cn=Universal Password Selected User Disable,cn=Password Policies,cn=Security Options: 0x254 (596) Universal Password disabled Advanced policy enabled Sync NDS Sync Simple disabled Synch external User readable Not admin readable Password Policy DN: cn=Universal Password Enabled,cn=Password Policies,cn=Security Options: 0x350 (848) Universal Password enabled Advanced policy enabled Sync NDS Sync Simple Synch external User readable Not admin readable ********************************************************************* For more information about Troubleshooting Novell Branch Office 2.0, please see Troubleshooting password issues on Branch Office 2.0- TID10096650 http://support.novell.com/cgi-bin/search/searchtid.cgi?/10096650.htm DIAGPWD.EXE source code has been released and can be accessed at Novell's Forge Site: http://forge.novell.com/modules/xfmod/cvs/cvsbrowse.php/nmas_ldapext/client/dia gpwd ISSUE: DIAGPWD allows an administrator to view what Universal Password Policy is associated to a user and whether the Simple, NDS and Universal Passwords are synced. For further details on determining your NMAS version, please see NMAS Version Matrix - TID10088250 http://support.novell.com/cgi-bin/search/searchtid.cgi?/10088250.htm Self-Extracting File Name: diagpwd1.exe Files Included Size Date Time ..\ DIAGPWD1.TXT (This file) DIAGPWD.EXE 49152 3-1-2005 10:41:23 am LDAPSDK.DLL 208896 10-7-2003 11:48:42 pm NMASEXT.DLL 53248 11-30-2004 9:39:06 am ----------------------------------------------------------------- Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information. -----------------------------------------------------------------