Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
whitesocks Absent Member.
Absent Member.
1169 views

How to get account password

Hi
I want to read account's password in edirectory.
I see some coolsolution , the results is the userPassword attribute can't read.
Can tell how to get and read the account's password ?
thanks
Labels (1)
0 Likes
12 Replies
ScorpionSting Absent Member.
Absent Member.

Re: How to get account password

whitesocks;2489666 wrote:
Hi
I want to read account's password in edirectory.
I see some coolsolution , the results is the userPassword attribute can't read.
Can tell how to get and read the account's password ?
thanks


Ignoring all the legalities about performing such a task, you can't just read the userPassword attribute. You need to have the Distribution Password set through Universal Password policies, and have authority in that policy to read the password, and use special tools to retrieve the password (such as Jim Willekes dump tool).

Geoff has written one of his books...er...articles on passwords and retrieval: https://www.netiq.com/communities/cool-solutions/examples-jim-willekes-dump-tool/

Scroll down for about half an hour, and you should see example output....just above are links to the tools, etc

Visit my Website for links to Cool Solution articles.
Knowledge Partner
Knowledge Partner

Re: How to get account password

On 10/28/2018 6:04 PM, ScorpionSting wrote:
>
> whitesocks;2489666 Wrote:
>> Hi
>> I want to read account's password in edirectory.
>> I see some coolsolution , the results is the userPassword attribute
>> can't read.
>> Can tell how to get and read the account's password ?
>> thanks

>
> Ignoring all the legalities about performing such a task, you can't just
> read the userPassword attribute. You need to have the Distribution
> Password set through Universal Password policies, and have authority in
> that policy to read the password, and use special tools to retrieve the
> password (such as Jim Willekes dump tool).
>
> Geoff has written one of his books...er...articles on passwords and
> retrieval:
> https://www.netiq.com/communities/cool-solutions/examples-jim-willekes-dump-tool/
>
> Scroll down for about half an hour, and you should see example
> output....just above are links to the tools, etc


I resemble those comments.

Details are helpful.

As Ben notes, you need the tool, and proper permissions, as detailed in
the docs of the tool and the article cited.


0 Likes
whitesocks Absent Member.
Absent Member.

Re: How to get account password

Hi
I execute the tools,but report have not righte,the log bellow:
D:\dumpup>java -jar DumpPasswordInformation.jar -h 192.168.128.132 -p 389 -D cn=admin,ou=users,o=services -w novell -b "cn=test002,o=adusers"
dn: cn=admin,ou=users,o=services
Password: Requestor does not have sufficient rights to perform operation. (-1659)
Password policy assigned to user: NMAS Code: (-16049)
Does Current password meet password policy assigned to user? NMAS Return Code (-16049)
===> Password Status <===
==> Universal Password <==
Is UPwd Enabled: false
Is the UPwd history full: false
Does UPwd match NDSPwd: false
Does UPwd match SimplePwd: false
Is UPwd older than NDSPwd: false
==> Simple Password <==
Is Simple Password Set: false
Is Simple Password Clear Text: false
Does Simple Password match NDSPwd: false
please support ,thanks
0 Likes
Knowledge Partner
Knowledge Partner

Re: How to get account password

On 10/30/2018 01:24 AM, whitesocks wrote:
>
> I execute the tools,but report have not righte,the log bellow:
> D:\dumpup>java -jar DumpPasswordInformation.jar -h 192.168.128.132 -p
> 389 -D cn=admin,ou=users,o=services -w novell -b


This will not work without security; use TCP 636, or whatever other port
you use for LDAPS if other than TCP 636.

> "cn=test002,o=adusers"
> dn: cn=admin,ou=users,o=services
> Password: Requestor does not have sufficient rights to perform


Possibly true; use a tree admin, or a user with Write to ACL on this
object. Also be sure that the Universal Password (UP) policy allows
password retrieval by your user (explicitly) or admins in general ('Write'
to 'ACL' as mentioned above).

> operation. (-1659)
> Password policy assigned to user: NMAS Code: (-16049)
> Does Current password meet password policy assigned to user? NMAS
> Return Code (-16049)
> ===> Password Status <===
> ==> Universal Password <==
> Is UPwd Enabled: false


Not having UP enabled is a good way to never be able to retrieve
passwords. Enable it by assigning a UP policy directly to the usre in
question, and then login via something NMAS-enabled, or change the
Universal Password.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
whitesocks Absent Member.
Absent Member.

Re: How to get account password

Hi
D:\dump>java -jar DumpPasswordInformation.jar -Z TLS -h 202.120.166.56:389 -D cn=admin,ou=sa,o=system -w novell -b "cn=1801208,ou=people,dc=tongji"
dn: cn=admin,ou=sa,o=system
userpassword: novell
Password policy assigned to user: cn=Tongji Password Policy,cn=Password Policies,cn=Security
Does Current password meet password policy assigned to user? true
===> Password Status <===
==> Universal Password <==
Is UPwd Enabled: true
Is the UPwd history full: false
Does UPwd match NDSPwd: true
Does UPwd match SimplePwd: true
Is UPwd older than NDSPwd: false
==> Simple Password <==
Is Simple Password Set: true
Is Simple Password Clear Text: true
Does Simple Password match NDSPwd: true
the DN is admin,why ? the cn=admin,ou=sa,o=system is super, is edirectory admin, why can't read this dn?
0 Likes
Knowledge Partner
Knowledge Partner

Re: How to get account password

On 10/30/2018 5:24 AM, whitesocks wrote:
>
> Hi
> D:\dump>java -jar DumpPasswordInformation.jar -Z TLS -h
> 202.120.166.56:389 -D cn=admin,ou=sa,o=system -w novell -b
> "cn=1801208,ou=people,dc=tongji"
> dn: cn=admin,ou=sa,o=system
> userpassword: novell
> Password policy assigned to user: cn=Tongji Password
> Policy,cn=Password Policies,cn=Security
> Does Current password meet password policy assigned to user? true
> ===> Password Status <===
> ==> Universal Password <==
> Is UPwd Enabled: true
> Is the UPwd history full: false
> Does UPwd match NDSPwd: true
> Does UPwd match SimplePwd: true
> Is UPwd older than NDSPwd: false
> ==> Simple Password <==
> Is Simple Password Set: true
> Is Simple Password Clear Text: true
> Does Simple Password match NDSPwd: true
> the DN is admin,why ? the cn=admin,ou=sa,o=system is super, is
> edirectory admin, why can't read this dn?


To save you some time, have you tried running the JAR file itself? It
has a GUI to make this all easier. (I cannot remember the switches
offhand, I assume you got -D and -b backwards or something like that. )

0 Likes
whitesocks Absent Member.
Absent Member.

Re: How to get account password

Hi
Use GUI is ok,but command have not execute.So I try other parameters.
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: How to get account password

whitesocks;2489794 wrote:
Hi
Use GUI is ok,but command have not execute.So I try other parameters.


You sure this is enabled?


Visit my Website for links to Cool Solution articles.
0 Likes
Knowledge Partner
Knowledge Partner

Re: How to get account password

>> "cn=test002,o=adusers"
>> dn: cn=admin,ou=users,o=services
>> Password: Requestor does not have sufficient rights to perform

>
> Possibly true; use a tree admin, or a user with Write to ACL on this
> object. Also be sure that the Universal Password (UP) policy allows
> password retrieval by your user (explicitly) or admins in general ('Write'
> to 'ACL' as mentioned above).


Really? The setting in password policy to retrieve passwords is also
allowed by Write to ACL? If so, just Sec equals to root would suffice,
would it not? I thought NMAS enforced it outside the scope of eDir
permissions.


>> operation. (-1659)
>> Password policy assigned to user: NMAS Code: (-16049)
>> Does Current password meet password policy assigned to user? NMAS
>> Return Code (-16049)
>> ===> Password Status <===
>> ==> Universal Password <==
>> Is UPwd Enabled: false

>
> Not having UP enabled is a good way to never be able to retrieve
> passwords. Enable it by assigning a UP policy directly to the usre in
> question, and then login via something NMAS-enabled, or change the
> Universal Password.
>
>


0 Likes
Knowledge Partner
Knowledge Partner

Re: How to get account password

On 10/30/2018 04:48 AM, Geoffrey Carman wrote:
>>> "cn=test002,o=adusers"
>>> dn: cn=admin,ou=users,o=services
>>> Password: Requestor does not have sufficient rights to perform

>>
>> Possibly true; use a tree admin, or a user with Write to ACL on this
>> object. Also be sure that the Universal Password (UP) policy allows
>> password retrieval by your user (explicitly) or admins in general ('Write'
>> to 'ACL' as mentioned above).

>
> Really? The setting in password policy to retrieve passwords is also
> allowed by Write to ACL? If so, just Sec equals to root would suffice,
> would it not? I thought NMAS enforced it outside the scope of eDir
> permissions.


In the Universal Password (UP) policy the users able to retrieve passwords
can be explicitly defined, or else you can set it to 'Administrators', at
least. Having 'Write' to 'ACL' makes you an administrator in the eyes of
eDirectory/NMAS, so that's the link, since if you have write to 'ACL' you
can effectively grant any other rights you want (e.g. 'Supervisor' to
'[Entry Rights]', which is what a tree admin is if defined, inheritable at
the tree [root]).

This does not mean that having these rights can let a user retrieve
passwords if the UP policy is not in place, of course, and I think it also
will not work if the UP policy explicitly prohibits password retrieval
(but I have not tested that lately), but it makes the trustee an "admin"
matching the wording in the UP policy in the section regarding password
retrieval.

This is why granting mere 'Write' to 'ACL' or '[All Attributes Rights]' is
very significant.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Knowledge Partner
Knowledge Partner

Re: How to get account password

>> Really? The setting in password policy to retrieve passwords is also
>> allowed by Write to ACL? If so, just Sec equals to root would suffice,
>> would it not? I thought NMAS enforced it outside the scope of eDir
>> permissions.

>
> In the Universal Password (UP) policy the users able to retrieve passwords
> can be explicitly defined, or else you can set it to 'Administrators', at
> least. Having 'Write' to 'ACL' makes you an administrator in the eyes of
> eDirectory/NMAS, so that's the link, since if you have write to 'ACL' you
> can effectively grant any other rights you want (e.g. 'Supervisor' to
> '[Entry Rights]', which is what a tree admin is if defined, inheritable at
> the tree [root]).
>
> This does not mean that having these rights can let a user retrieve
> passwords if the UP policy is not in place, of course, and I think it also
> will not work if the UP policy explicitly prohibits password retrieval
> (but I have not tested that lately), but it makes the trustee an "admin"
> matching the wording in the UP policy in the section regarding password
> retrieval.
>
> This is why granting mere 'Write' to 'ACL' or '[All Attributes Rights]' is
> very significant.


Ok, I see what you mean. Instead of S to [root] it is W to ACL that is
the powerhouse, and as a definer of 'Admin user'.



0 Likes
Knowledge Partner
Knowledge Partner

Re: How to get account password

On 11/01/2018 04:06 AM, Geoffrey Carman wrote:
> Ok, I see what you mean. Instead of S to [root] it is W to ACL that is
> the powerhouse, and as a definer of 'Admin user'.


Effectively, sure; the former is what is actually done to create a tree
admin, but the latter works too. At the end of the day, either works, and
the latter is what I usually try to use, at least until NMAS lets the
defined admin functionality explicitly work with organizational roles or
something.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.