NDSTree

Version PK-4.60
(Nov 22, 1998)


 DISCLAIMER:
     THIS  PRODUCT  IS  SUPPLIED  "AS  IS".  DREAMLAN 
     DISCLAIMS ALL WARRANTIES,  EXPRESSED OR IMPLIED,
     INCLUDING, WITHOUT  LIMITATION,  THE  WARRANTIES
     OF  MERCHANTABILITY   AND  OF  FITNESS  FOR  ANY
     PURPOSE.   DREAMLAN  ASSUMES  NO  LIABILITY  FOR
     DAMAGES,  DIRECT  OR  CONSEQUENTIAL,  WHICH  MAY
     RESULT FROM THE USE OF THIS PRODUCT.

Introduction

There may be times that you have wondered if you have any containers or user or other objects in your NDS tree that you are not aware of, because you can't see them due to IRF blocking. Well, NDSTree is designed to locate and identify those stealth objects.

NDSTree is made up to two programs. One a DOS utility and the other an NLM. The NLM version will list all objects in your NDS tree regardless if they have any IRF blocking them from normal view. By comparing the output from the NLM version to that of the DOS version, you can easily locate and identify any stealth objects you may have in your tree.

In v1.01, an additional security-checking feature has been added. With the registered version, you can produce a report of which objects are Security Equals to other objects. This is useful in tracking down, for example, users that have Supervisor rights to Server objects. Because when a user is SE to a server object, the user is automatically granted Supervisor file system rights to ALL volumes on that server. This file system right can not be revoked using file system IRFs (because of the S file system right). Also, there is no easy way to find such a user using NETADMIN or NWAdmin. You can, however, use NLIST to locate such objects, but the output is pretty "ugly".

This is a must-have tool for any NetWare 4 and NetWare 5 sites that have multiple (NDS) network administrators, or for anyone serious about NDS security.


What's New


Notes

  1. NDSTree will display only the first 50 levels of an NDS tree. This should not be a problem as a properly and efficiently designed tree should have no more than about 10 levels, including [Root]. Because recursive code is used to create the tree map, it is possible you may run into an "out of stack" error (same with the NLM). Therefore, we recommend you run the NLM during non-production hours if you have a deep tree. Both the NDSTREE and NDSTREE2 have been tested with a tree-depth of 10 levels.

  2. NDSTREE2.NLM creates its data files at the root of the SYS: volume. The location cannot be changed.

  3. NDSTREE.EXE creates its data files in the default working directory of the workstation.

  4. NDSTREE2.NLM will always scan the tree starting from [Root].

  5. NDSTREE.EXE will always scan the tree starting from the workstation's current context.

  6. Any Unknown objects will be considered as a possible container.

  7. Aliased container objects are not shown without the use of the -o option. And when an container alias is shown, no objects will be shown underneath it; you need to refer back to the original container object.

  8. Aliased user objects (and other leaf objects) are identified with the base class of the original objects. For example, an user alias object will be identified as an user rather than as an alias.

  9. On a large tree, the output may be ugly!

  10. During testing, we have seen the output of NDSTREE2.NLM screens doesn't get fully send to the RCONSOLE workstation, and the keystroke from the RCONSOLE station doesn't get to the NDSTREE2.NLM when the screen is paused. If this happens to you, use the server console directly. This is most likely caused by the keyboard polling loop code used when a full screen of information is displayed (i.e. "Press any key to continue"). (This problem has been addressed with NDSTREE2.NLM v1.01)

  11. The NDSTREE2.NLM has not been fully tested on a SFT III server. If you need to use it, try it on the MSEngine.

  12. The use of NDSTREE2.NLM is keyed to the name of the NDS tree.

  13. There must be a free connection slot on the server for the utility to load.

  14. There must be a valid license (even a 2-user) installed on the server in order for the NLM to load correctly.

  15. In some rare cases, NDSTREE.EXE's colour routines seem to cause problems in DOS boxes on WinNT/WS (and perhaps in Win9x). If you encounter this problem, try the -X option (disable color). However, NDSTREE.EXE is designed to be a pure DOS app. and it works well under 'real' DOS ...


Installation

No special installation steps or program need to be used. The NDSTREE2.NLM should be copied long with its license file (NDSTREE2.LIC) to a directory. They do not need to be on a diskette, but both files need to be in the same directory. The NDSTREE.EXE should be copied to your SYS:PUBLIC directory. You must have the Unicode files for the country code and code page that your workstation use available in the respective NLS directories, for example, SYS:PUBLIC\NLS.

If you choose to place NDSTREE.EXE in a different directory, you may need a search map to SYS:PUBLIC\NLS in order for the application to find the Unicode files.


Usage

Both NDSTREE.EXE and NDSTREE2.NLM uses the same command-line parameters, with the exception of -X and -Z. The -X and -Z options are only available in NDSTREE.EXE. The syntax for these utilities is:

NDSTREE [-a] [-c] [-m] [-o] [-r] [-s] [-t] [-x] [-?] [-Z]
LOAD NDSTREE2 [-a] [-c] [-m] [-o] [-r] [-s] [-t] [-?]

Starting with v4.5, the NLM has a menu-interface so you can start the NLM without any command-line options. (To turn off the color in the NLM version, use LOAD NDSTREE2 -M; this should be used alone without any other options so you'll get the menu prompts. Otherwise, it will be interpreted as the match option.) The explanations of the options are as follows:

Except for -Z, none of the above parameters are case-sensitive.

If you encounter an error message similar to the following about fmod, ensure MATHLIB.NLM is loaded (it is not auto-loaded by the NLM):

Server-4.10-1586: Loader cannot find public symbol: fmod

Examples

1) Output from using "NDSTREE -s". It looks pretty much like the output from a CX /T command:

NDSTREE Version MT-1.00 [s/n: DLAN951015r-DLAN]
(Display NDS Tree Structure)
DreamLAN Network Consulting Ltd.
(c)Copyright 1995. All Rights Reserved.

                           Searching from context <DreamLAN> and below
NDS Tree Listing:

DreamLAN
+OU=NW4SG
   +OU=NW3SG

TotalContainer found = 3.
TotalObject    found = 3.

2) The following is output from "NDSTREE -s -t", which identifies each lower level object it found. CX can not give you that information.

NDSTREE Version MT-1.00 [s/n: DLAN951015r-DLAN]
(Display NDS Tree Structure)
DreamLAN Network Consulting Ltd.
(c)Copyright 1995. All Rights Reserved.

                           Searching from context <DreamLAN> and below
NDS Tree Listing:

DreamLAN
+OU=NW4SG (Org Unit)
   +OU=NW3SG (Org Unit)

TotalContainer found = 3.
TotalObject    found = 3.

3) The following output is generated using "NDSTREE -s -t -o" options:

NDSTREE Version MT-1.00 [s/n: DLAN951015r-DLAN]
(Display NDS Tree Structure)
DreamLAN Network Consulting Ltd.
(c)Copyright 1995. All Rights Reserved.

                           Searching from context <DreamLAN> and below
NDS Tree Listing:

DreamLAN
NDS Tree Listing:

DreamLAN
+CN=USER_TEMPLATE (User)
+CN=Peter (User)
+CN=Q1 (Queue)
+CN=PS-DreamLAN (Print Srv)
+CN=P1 (Printer)
+CN=Test2 (User)
+CN=Guest (User)
+CN=SDK (User)
+CN=aaa (User)
+OU=NW4SG (Org Unit)
|  +CN=Test Computer (Computer)
|  +CN=Test (User)
|  +CN=Test2 (User)
|  +OU=NW3SG (Org Unit)
|     +CN=Test (User)
|     +CN=Test3 (User)
+CN=print_q (Queue)
+CN=HP_LaserJet_II (Queue)
+CN=HP3_16S (Queue)
+CN=PS-DreamLAN-2 (Print Srv)
+CN=HP3-16th-South (Printer)
+CN=testing (User)
+CN=bbb (User)
+CN=Joe (User)
+CN=HelpDesk (User)
+CN=Ctal (User)
+CN=HelpDesk2 (User)
+CN=HelpDesk3 (Org Role)
+CN=HelpDesk4 (Group)
+CN=Peter2 (User)
+CN=newadmin (User)

TotalContainer found = 3.
TotalObject    found = 32.

Looking for Stealth Objects

You can use the following steps to see if you have any stealth objects in your NDS tree:

  1. Log in as Admin or someone with Supervisor rights to the [Root] or as someone that has as much NDS rights as you can get.

  2. Set the workstation's context to [Root].

  3. Run NDSTREE.EXE with the following options:

    NDSTREE -s -t -o -r -m

    This searches the whole tree, shows all objects, identify each object with a base class, generate both a report file (NDSTREE.RPT) as well as a "match" file (NDSTREE.DAT). It is the match file you use later. (The use of -t is optional but it gives you additional information as to the object type of the object.)

  4. Run the NDSTREE2 NLM as follows:

    LOAD NDSTREE2 -s -t -o -r -m

    This searches the whole tree, shows all objects, identify each object with a base class, generate both a report file (NDSTREE2.RPT) as well as a "match" file (NDSTREE2.DAT). It is the match file you use later. These two files are placed at the root of the SYS: volume. (If you didn't use the -t option to generate the NDSTREE.DAT file in Step 3, don't use -t here.)

    NOTE: You must perform Step 4 on *every* server that holds a replica. At the very least, run this on all servers that contain Master replicas. REASON: The NLM will have to tree-walk to other servers if the server it runs on doesn't hold a replica of part of your tree. When the NLM tree-walks, it will NOT see stealth objects in partitions located on other servers. Therefore, you need to run the NLM on all servers that holds a replica and the easiest is to run it on the servers with the Masters (to reduce the number of servers you have to run it on).

  5. Copy each NDSTREE2.DAT to your workstation and combine all copies into a *single* file.

  6. Use the DOS SORT program (or any others of your choice) to sort the two .DAT files:

    SORT < NDSTREE.DAT > NDSTREE.1
    SORT < NDSTREE2.DAT > NDSTREE.2

    You should always sort the files as sometimes the order of the objects returned by NDSTREE is different than that of NDSTREE2. This is the best way to ensure a smooth comparison.

  7. Use the supplied UNIQUE.EXE (or any others of your choice) to remove any duplicate lines from the sorted NDSTREE2.DAT (NDSTREE.2 in the example) file:

    UNIQUE -i NDSTREE.2 -o NDSTREE.2B

  8. Use a file compare utility, such as DOS's FC to compare NDSTREE.1 and NDSTREE.2B. Any entries found in NDSTREE.2B but not in NDSTREE.1 can be considered as stealth objects (unless they were created after you ran NDSTREE.EXE but before running NDSTREE2.NLM).

The following is a sample (edited for easier reading) output from FC, which shows there are four stealth objects:

ASCII differences between NDSTREE.1 and NDSTREE.2B


After line 117 in NDSTREE.1 insert line 118 from NDSTREE.2B
> CN=SU2.OU=Temp.O=DreamLAN (User)

After line 133 in NDSTREE.1 insert line 135 from NDSTREE.2B
> CN=USER_TEMPLATE.O=HideMe (User)

After line 147 in NDSTREE.1 insert line 150 from NDSTREE.2B
> O=HideMe.[Root] (Organization)

After line 170 in NDSTREE.1 insert line 174 from NDSTREE.2B
> OU=Temp.O=DreamLAN (Organizational Unit)


Configuration

The registered version of NDSTREE.EXE supports the -Z command-line parameter (which will generate a Security Equals report) and the -M command-line parameter (which will generate a Match Object datafile).

By default, the -Z option will report all objects that are SE to either a Server object or a Volume object. However, you can create a SecEqual.CFG file that lists, up to 10, different object classes for NDSTree to check on. For example, you can generate a report for objects that have SE to Server, Volume, and Profile objects. The .CFG file needs to be in the current working directory.

The syntax of the SecEqual.CFG is simple: one class name on each line. A line starting with either ';' (semi-colon) or '#' (pound) is treated as comment. The class name must match exactly (including spaces) to that of the schema. You can get a list of the class names in your schema using NDSCOUNT, a utility that is also part of the NDS ToolKit.

Note that the -Z option is not available for NDSTREE2.NLM. Shown below is a sample output from NDSTREE.EXE using the -Z option:

NDSTREE Version MT-1.01 [s/n: DLAN951027r-DLAN]
DreamLAN Network Consulting Ltd.
(c)Copyright 1995. All Rights Reserved.

Report file (SecEqual.RPT) generated on October 27, 1995 at 00:53:39

Searching from context <[Root]> and below.

SE Config file [SecEqual.CFG] used. Objects with SE to the following object 
classes are flagged:

   1. --> Volume
   2. --> Messaging Server
   3. --> NCP Server
   4. --> Profile

NOTE: The 'Security Equalled To' object name is relative
----- to the 'source' object's context.

***************************************************************************

CN=DREAMLAN.OU=Toronto.O=North_America:
     SE --> CN=DREAMLAN_MSG (Messaging Server)

CN=Csadmin.OU=Consulting.OU=Toronto.O=North_America:
     SE --> CN=NW410B (NCP Server)

CN=Louvre+Bindery Type=543.OU=Toronto.O=North_America:
     SE --> CN=DREAMLAN (NCP Server)

CN=Admin.O=North_America:
     SE --> CN=DREAMLAN_MSG.OU=Toronto (Messaging Server)

CN=Tester.O=TopLevel:
     SE --> CN=DREAMLAN.OU=Toronto.O=North_America. (NCP Server)


              *** End of Report ***


Registration

In this trial version, the following options are disabled:

The full version of NDSTree is available by registering on-line through the following Web sites:

The NDS tree name is required as it is used to generate a key. The registration cost is $99 US. Canadian registration is $135 CDN plus GST. All other countries, please remit in US funds.

You can also FAX a company Purchase Order to +1 (905) 887-3836. Please make sure you either include your tree name information on the FAX or send a follow up email.

Special site agreements for multiple trees and service providers are available. Although the license does not grant you the right to resell the program (for a profit; but you can charge the customer a service charge for your time). If you are a service provider, you can register copies on behave of your customers (by providing your customer's mailing information -- this is used only for tracking purposes). At the same time, we ask you to send us a separate email indicating that you are registering on behave of your customer and inciate in this email if further software upgrade (free or for a charge) be send to you or the customer directly, and an email address for that purpose.


Other Information

NDSTREE is written in C using MicroSoft C optimizing compiler and Novell Development Kit. Some string manipulating routines are from the CXL library. NDSTREE2 is written using WatCOM C compiler and Novell Developer Kit.

Inclusion of this utility on CD-ROMs (except for backup purposes) without permission from DreamLAN Network Consulting Ltd. is expressly prohibited.


Revision History