pwdcheck.pl (Size 23k) - Chris Randles v1.0 2008-05-07
Analyze output from the Daigpwd utility and produce a useable list of eDirectory accounts who's eDirectory passwords are not synchronized with their Universal or Simple passwords. The output is in container order using the reverse object RDN.
Input Requirements - The output from Diagpwd:
Use Daigpwd with the following syntax:
diagpwd <IP Address> <secure port> <Tree_Cert>.der <container to start search> sub <Admin Account> <password>
e.g. diagpwd 192.168.0.1 636 MyTree.der o=Novell sub cn=admin,o=Novell mypassword
Use redirection to output the data to a text file. e.g. add '> diagpwd.txt' to the end of the statement:
e.g. diagpwd 192.168.0.1 636 MyTree.der o=Novell sub cn=admin,o=Novell mypassword > diagpwd.txt
To acquire the Diagpwd utility go to the Novell downloads web page and search for 'diagpwd*'
NOTE: Diagpwd4 was the version at the time of writing this document. Do not modify the output file from diagpwd! Diagpwd takes a while to run. You can use LDAP tracing to follow it's progress.
The program has been tested using SUSE Linux 10 on x86_64 using Perl v5.8.8 and on MS Windows 2000 SP4 using ActivePerl v5.8.8. It should run on most Linux/Unix/Windows platforms with Perl v5.6 and above.
EXAMPLE INPUT DATA (output data from diagpwd):
Object DN: cn=MyAccount,ou=IT,ou=CA,o=Novell EMail: ChRandles@novell.com Last Changed Date: 2008-04-21 22:40:45 Z Password Status: Enabled, Set Distribution Password Status: Set Simple Password Status: Set Password Policy DN: cn=Password Policy,cn=Password Policies,cn=Security
Object DN: cn=ThatAccount,ou=Accounts,ou=CA,o=Novell EMail: NotReal@novell.com Last Changed Date: [UNKNOWN] Password Status: Enabled, Set Distribution Password Status: Not set Simple Password Status: Set Password Policy DN: cn=Password Policy,cn=Password Policies,cn=Security
Object DN: cn=NFAUUser,o=novell EMail: [NONE] Last Changed Date: [UNKNOWN] Password Status: Universal Password disabled, Not set Distribution Password Status: Not set Simple Password Status: Not set Password Policy DN: [NONE]
PROGRAM OUTPUT INCLUDES:
Password_Totals.txt A file containing all of the totals derived by the program which appear in the various output files.
Bad_Passwords.txt List of objects where Universal and/or Simple passwords do not match NDS password: Number of objects with bad Universal and Simple Passwords Number of objects with bad Universal Password Only Number of objects with bad Simple Password Only Total number of objects with bad passwords
Universal_Password_Not_Enabled.txt List of and Total number of objects with Universal Password NOT enabled
Universal_Password_Enabled.txt List of and Total number of objects with Universal Password Enabled
Universal_Password_Set.txt List of and Total number of objects with Universal Password Set
Universal_Password_Not_Set.txt List of and Total number of objects with Universal Password NOT Set
Distribution_Password_Set.txt List of and Total number of objects with Distribution Password Set
Distribution_Password_Not_Set.txt List of and Total number of objects with Distribution Password NOT Set
Simple_Password_Set.txt List of and Total number of objects with Simple Password Set
Simple_Password_Not_Set.txt List of and Total number of objects with Simple Password NOT Set
Users_By_Last_Password_Change.txt List of objects ordered by password last changed date Number Users without a password last changed date Number of Users with a password last changed date
Users_By_Password_Policies.txt List of objects ordered by assigned password policy Number of Users assigned to each password policy
Excluded_Objects.txt List of and Total number of objects excluded from the input data.
Passwords.csv A csv formatted file containing the input data. One object per line.
A Total of 14 output files are created per program run. NOTE: Output files are over-written with each run.
Exclusions file format is a simple text list of object CNs to ignore. Create a text file called 'exclude.txt' (case sensitive on Linux/Unix) and enter one CN per line (CN is case insensitive) e.g.:
Yes, there is. Jim Willeke wrote a much better tool than this one, sorry guys, but his is better called Dump Universal Password. When you check a user it reports an NMAS error (I forget the code) that shows that the current password does NOT meet the current password policy rules. Which is what you need.
Is there a way to find out whether a password does not match the password policy after a password policy has been increased? example: we have the password policy of min. 8 characters increased to 12 characters. now we want to know which accounts do not yet correspond to the password length of 12 characters.