Obfuscated Password Options of the eDirectory Utilities, ndsconfig and ndscheck

0 Likes

Introduction:


Scriptability is one of the basic expected features from an enterprise software like eDirectory, especially the command line utilities so that they can be integrated with other tools.



In this article, we talk about enhancements made to a couple of eDirectory utilities in eDirectory 8.8.5 for better scriptability. The eDirectory configuration utility, ndsconfig and the health check utility, ndscheck were enhanced to support obfuscated password. These utilities have the command line option '-w <password>' to pass the userDN password in clear text on the command line. On UNIX platforms, while the command is being executed with this option, the password can be read by anybody using the 'ps' command because the password is passed in clear text.



Refer to the screen shots below:










Enhancements:



With eDirectory 8.8.5, the following enhancements were made to improve the security by providing options to obfuscate the password and pass it through a file. This improves the security by making it difficult to crack the password.



Changes to ndscheck utility:



The ndscheck utility was enhanced to provide an option to generate the obfuscated password into a file. The new command line option '-O <obfuscated_passwd.txt>' is provided to obfuscate and put the inputted password into a file. The password can be passed to ndscheck either with the command line option '-w <password>' or through the password prompt.



Also ndscheck has been enhanced with another option '-W <obfuscated_passwd.txt>' to accept the obfuscated password for the login user passed with the option '-a adminDN'.



The obfuscated password file would be created with read and write permission to owner only(600) on UNIX platforms. ndscheck being a cross platform utility, this feature is available on all platforms.



Command syntax:



ndscheck [-h hostname | ip] [-a admin FDN] [-w password] [-F log file] [--config-file path_to_nds.conf]
ndscheck [ [-O <file_name>] | [-W <file_name>] ]


New options -


-O <file_name>   - Obfuscate the given password and store the result in <file_name>.
-W <file_name> - Use the obfuscated password from the <file_name> to login.


Changes to ndsconfig utility:


A new command line option '-W <obfuscated_passwd.txt>' is added to 'ndsconfig' to accept an obfuscated password as input on command line for the userDN. Please note that the obfuscated password file needs to be generated using the ndscheck utility as described above.



Command syntax:


ndsconfig <new | add | upgrade | rm> [-t <treeName>] [-n <serverDN>] [-a <userDN>] [-w <password>]....


New options -


-W <file_name>   - Use the obfuscated password from the <file_name> to login.


Example:


Create an obfuscated password for the eDirectory admin using ndscheck.


# ndscheck -O $HOME/edir-pass.txt



Refer to the screen shot below:




To install and configure eDirectory, execute the following command


# ndsconfig new -t myTree -n o=myOrganisation -a cn=admin.o=myOrganisation -W $HOME/edir-pass.txt



Refer to the screen shots below:










To perform eDirectory health check, execute the following command



# ndscheck -h localhost -a admin.novell -W $HOME/edir-pass.txt




References:




  1. The man pages of ndscheck and ndsconfig utilities.





Labels:

How To-Best Practice
Comment List
Parents Comment Children
Related
Recommended