Anonymous_User Absent Member.
Absent Member.
586 views

eDirectory LDAP


Hi everybody!

I am newbie, I install eDir 8.7.3 to s2003.
Somebody can tell me how to make new LDAP users?
I get new red "N" icon to the taskbar, but when I right click to this
icon I don't see any 'interesting' setting.

I would like to search where exactly store the LDAP users (I think in
some kind of database somewhere...)


Really thanks the reply!


--
Percent01
------------------------------------------------------------------------
Percent01's Profile: https://forums.netiq.com/member.php?userid=6341
View this thread: https://forums.netiq.com/showthread.php?t=49302

Labels (1)
0 Likes
17 Replies
Anonymous_User Absent Member.
Absent Member.

Re: eDirectory LDAP

On Sun, 24 Nov 2013 21:05:40 +0000, Percent01 wrote:

> Hi everybody!
>
> I am newbie, I install eDir 8.7.3 to s2003.
> Somebody can tell me how to make new LDAP users?
> I get new red "N" icon to the taskbar, but when I right click to this
> icon I don't see any 'interesting' setting.
>
> I would like to search where exactly store the LDAP users (I think in
> some kind of database somewhere...)
>
>
> Really thanks the reply!


If the system is a domain controller, then you need to configure
eDirectory's LDAP server to use other ports, because Windows Server
requires the AD LDAP interfaces be on ports 389/636.

Otherwise, if it's just a member server, the installation should
configure it for LDAP access automatically.

Jim
--
Jim Henderson, CNA6, CDE, CNI, LPIC-1, CLA10, CLP10
Novell/SUSE/NetIQ Knowledge Partner
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: eDirectory LDAP

On Sun, 24 Nov 2013 21:05:40 +0000, Percent01 wrote:

> Hi everybody!
>
> I am newbie, I install eDir 8.7.3 to s2003. Somebody can tell me how to
> make new LDAP users?


You would use an application to do so. Natively, you could use iManager
with eDirectory to create Users or other types of objects. Or you could
use any LDAP enabled application that can create objects.


> I get new red "N" icon to the taskbar, but when I
> right click to this icon I don't see any 'interesting' setting.


That would be the Windows client, which does not, by itself, offer any
administrative functions.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: eDirectory LDAP


Fortunatelly, I make 2 new user (simple and nonsimple password)
I think the password store in nds.01 or nds.db file, because I saw the
usernames in this file.
How can I read this database or how can I make a query, to see passwords
hash?


--
Percent01
------------------------------------------------------------------------
Percent01's Profile: https://forums.netiq.com/member.php?userid=6341
View this thread: https://forums.netiq.com/showthread.php?t=49302

0 Likes
Knowledge Partner
Knowledge Partner

Re: eDirectory LDAP

On 11/25/2013 10:34 AM, Percent01 wrote:
>
> Fortunatelly, I make 2 new user (simple and nonsimple password)
> I think the password store in nds.01 or nds.db file, because I saw the
> usernames in this file.
> How can I read this database or how can I make a query, to see passwords
> hash?


You do not have direct database access to the eDir DIB files.

You would query via LDAP to see the user in the eDirectory tree. Or via
NCP (With Client32 and Console One, or via iManager (A web tool that
comes with eDirectory).

You will NOT easily get back the password hash. However, if you must see
the password, and you define your password policy to allow it, it is
retrievable. A Java app that performs this task is available at:
http://ldapwiki.willeke.com/Wiki.jsp?page=DumpEdirectoryPasswordInformationTool

(This assumes you have a password policy that enables Universal
Password. If not, then you will default to NDS passwords, which are
Public Key/Private key pairs, and while you can get access to the Public
Key, the Private key is meant to be heavily protected. (There are ways,
but it would be pretty foolish to do so).




0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: eDirectory LDAP


geoffc;237383 Wrote:
> On 11/25/2013 10:34 AM, Percent01 wrote:
> >
> > Fortunatelly, I make 2 new user (simple and nonsimple password)
> > I think the password store in nds.01 or nds.db file, because I saw

> the
> > usernames in this file.
> > How can I read this database or how can I make a query, to see

> passwords
> > hash?

>
> You do not have direct database access to the eDir DIB files.
>
> You would query via LDAP to see the user in the eDirectory tree. Or
> via
> NCP (With Client32 and Console One, or via iManager (A web tool that
> comes with eDirectory).
>
> You will NOT easily get back the password hash. However, if you must
> see
> the password, and you define your password policy to allow it, it is
> retrievable. A Java app that performs this task is available at:
> http://tinyurl.com/3telax5
>
> (This assumes you have a password policy that enables Universal
> Password. If not, then you will default to NDS passwords, which are
> Public Key/Private key pairs, and while you can get access to the
> Public
> Key, the Private key is meant to be heavily protected. (There are ways,
> but it would be pretty foolish to do so).


I would like to introduce the password store security. This is the main
reason.
Easy question: how can I search my cn,dc, ou settings?


--
Percent01
------------------------------------------------------------------------
Percent01's Profile: https://forums.netiq.com/member.php?userid=6341
View this thread: https://forums.netiq.com/showthread.php?t=49302

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: eDirectory LDAP

On Tue, 26 Nov 2013 09:34:02 +0000, Percent01 wrote:

> I would like to introduce the password store security. This is the main
> reason.


What password store security?


> Easy question: how can I search my cn,dc, ou settings?


Search with what? LDAP? iManager? Something else?


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: eDirectory LDAP


dgersic;237434 Wrote:
> On Tue, 26 Nov 2013 09:34:02 +0000, Percent01 wrote:
>
> > I would like to introduce the password store security. This is the

> main
> > reason.

>
> What password store security?
> I made many user with different password store policy (universal,
> non-universal, NDS, etc.)
>
>
> > Easy question: how can I search my cn,dc, ou settings?

>
> Search with what? LDAP? iManager? Something else?
> I have iManager administrator account.
> Also I would like to make query, but I don't know how to make the JDBC
> connection and so on...



--
Percent01
------------------------------------------------------------------------
Percent01's Profile: https://forums.netiq.com/member.php?userid=6341
View this thread: https://forums.netiq.com/showthread.php?t=49302

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: eDirectory LDAP

On Tue, 26 Nov 2013 17:16:15 +0000, Percent01 wrote:

> dgersic;237434 Wrote:
>> On Tue, 26 Nov 2013 09:34:02 +0000, Percent01 wrote:
>>
>> > I would like to introduce the password store security. This is the

>> main
>> > reason.

>>
>> What password store security?
>> I made many user with different password store policy (universal,
>> non-universal, NDS, etc.)


eDirectory comes with documentation. I'm pretty sure that configuration
of password policies is included.


>> > Easy question: how can I search my cn,dc, ou settings?

>>
>> Search with what? LDAP? iManager? Something else? I have iManager
>> administrator account. Also I would like to make query, but I don't
>> know how to make the JDBC connection and so on...


You don't. It's not a JDBC accessible database, it's a directory.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: eDirectory LDAP


EDIRECTORY COMES WITH DOCUMENTATION. I'M PRETTY SURE THAT CONFIGURATION
OF PASSWORD POLICIES IS INCLUDED.
It is OK. I make various user with different password policies.
The question: how can I reverse the password?
1. I think if I can make query in iManager, I get user passwords. But I
have to connect something database (jdbc connection etc.) to make
query.
2. I get this tip: http://tinyurl.com/q58jnhz but I don't know "fully
distinguished name of a user with rights"
http://tinyurl.com/oprxhz5


--
Percent01
------------------------------------------------------------------------
Percent01's Profile: https://forums.netiq.com/member.php?userid=6341
View this thread: https://forums.netiq.com/showthread.php?t=49302

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: eDirectory LDAP

On Tue, 26 Nov 2013 21:54:03 +0000, Percent01 wrote:

> EDIRECTORY COMES WITH DOCUMENTATION. I'M PRETTY SURE THAT CONFIGURATION
> OF PASSWORD POLICIES IS INCLUDED.
> It is OK. I make various user with different password policies.
> The question: how can I reverse the password?


You don't.

> 1. I think if I can make query in iManager, I get user passwords.


No, you don't. As David said, eDirectory is a directory, not a database.

> But I
> have to connect something database (jdbc connection etc.) to make query.


No. You use LDAP to query the directory, or the NDS APIs. And you will
not get the password that way. The software is configured to not give up
the encrypted credentials.

> 2. I get this tip: http://tinyurl.com/q58jnhz but I don't know "fully
> distinguished name of a user with rights"
> http://tinyurl.com/oprxhz5


It sounds like you need to start with learning some basics about
eDirectory. You're trying to treat it like it's a JDBC-accessible
database. It's not. It's a directory service. The data is stored in a
proprietary database engine.

You still haven't described what your ultimate goal is - what is the
thing you are trying to accomplish, or the business problem you're trying
to solve? We can help you with that.

We cannot help you "hack" the eDirectory data store for unspecified
purposes. That's not what we're here for.

Jim
--
Jim Henderson, CNA6, CDE, CNI, LPIC-1, CLA10, CLP10
Novell/SUSE/NetIQ Knowledge Partner
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: eDirectory LDAP

On 11/26/2013 5:06 PM, Jim Henderson wrote:
>> It is OK. I make various user with different password policies.
>> >The question: how can I reverse the password?

> You don't.
>

You can, you just have to use a Java call and have the rights setup correctly.
However as others have mentioned this isn't really the way to go about it.

What is the goal of your project? Perhaps we could steer you in the right direction instead of
floundering around.

--
-----------------------------------------------------------------------
Will Schneider
Knowledge Associate http://forums.netiq.com

If you find this post helpful, please click on the star below.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: eDirectory LDAP

On Tue, 03 Dec 2013 20:56:58 +0000, Will Schneider wrote:

> On 11/26/2013 5:06 PM, Jim Henderson wrote:
>>> It is OK. I make various user with different password policies.
>>> >The question: how can I reverse the password?

>> You don't.
>>

> You can, you just have to use a Java call and have the rights setup
> correctly.
> However as others have mentioned this isn't really the way to go about
> it.


Depends on if we're talking about UP or the old NDS password. The latter
can't be extracted using external access methods of any type. Since the
OP asked about extracting the password hash (which is only used for the
RSA password, not UP, which as I recall uses strong encryption instead of
a hashing algorithm), that was the assumption I went with. So I'm going
to stand by "you don't extract the hashes using LDAP or JDBC/ODBC". 🙂

> What is the goal of your project? Perhaps we could steer you in the
> right direction instead of floundering around.


Indeed, that's kinda what we've all been waiting for an answer to. 🙂
It's usually far better to describe the goal than guesses at the steps
needed to achieve the goal.

Jim
--
Jim Henderson, CNA6, CDE, CNI, LPIC-1, CLA10, CLP10
Novell/SUSE/NetIQ Knowledge Partner
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: eDirectory LDAP

On 12/3/2013 5:31 PM, Jim Henderson wrote:
> It's usually far better to describe the goal than guesses at the steps
> needed to achieve the goal.


+1
If only the federal government could figure this out.

--
-----------------------------------------------------------------------
Will Schneider
Knowledge Associate http://forums.netiq.com

If you find this post helpful, please click on the star below.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: eDirectory LDAP


You just need a communist government ....


--
--
-eDirectory Rules!-

Peter
www.DreamLAN.com
------------------------------------------------------------------------
peterkuo's Profile: https://forums.netiq.com/member.php?userid=170
View this thread: https://forums.netiq.com/showthread.php?t=49302

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.