Secured Password Option for the eDirectory Utility ndsbackup



By: sashwin

January 28, 2010 3:28 pm

Reads: 263

Comments:3

Rating:0

Author: Ashwin S

Table of Contents

Introduction

Automation is one of the basic necessities for command utility of an enterprise software like eDirectory.

In this article, we talk about enhancements made to eDirectory utility ‘ndsbackup’ in eDirectory 8.8.5 for better automation. The eDirectory object based backup/restore utility, ndsbackup was enhanced to support secured way of providing password. ndsbackup utility have the command line option ‘-p <password>’ to pass the userDN password in clear text on the command line. On UNIX platforms, while the command is being executed with this option, the password can be read by anybody using the ‘ps’ command because the password is passed in clear text.

Refer to the screen shots below:

Enhancements for ndsbackup utility

With eDirectory 8.8.5, the following enhancements were made to improve the security by providing option to retrieve the password stored by ndspassstore. This improves the security by making it difficult to crack the password.

The ndspassstore is a utility used to store encrypted password for the eDirectory user. The ndspassstore requires userDN and password as an option. This utility is available on Unix. The ndspassstore uses NICI for encryption.

Command Syntax:

ndspassstore -a <Username> -w <Password>

ndsbackup utility retrieves the stored password from ndspassstore utility after passing the keyword ‘passstore’ instead of password along with option ‘-p’. This will not reveal the password using ‘ps’ command.

Command Syntax:

ndsbackup c [f <ndsbackupfile>] [e] [v]  [w]  [X  <exclude-file>]   [R]   [Replica-server-name]   [-a  admin-user]  [-I include-file]       [-E password]       [--config-file configuration_file_path>]... [eDirectoryobject]

New Option:

-p passstore – passstore specified here is the keyword to retrieve stored password from the ndspassstore utility.

Example:

To store the userDN password using ndspassstore utility for which backup/restore will be performed.

#ndspassstore -a admin.novell -w n

Refer to the screen shot below:

To take backup, execute the following command:

#ndsbackup cvf /tmp/test.bak -a admin.novell -p passstore

The ‘ps’ command will not reveal the password.

Refer to the screen shots below:

To restore use xvf instead of cvf, execute the following command:

#ndsbackup xvf /tmp/test.bak -a admin.novell -p passstore

References:

  1. The man pages of ndsbackup and ndspassstore utilities.
  2. eDirectory admin guide for ndspassstore utility at: http://www.novell.com/documentation/edir88/edir88new/?page=/documentation/edir88/edir88new/data/bk1cttx.html
VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags:
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

3 Comments

  1. By:vijaysat

    Is there any other nds commands like ndslogin available to use ndspassstore?

    • By:sashwin

      Currently ndsbackup utility is enhanced to use the password stored by ndspassstore. Other eDirectory utilities has to be enhanced to support the ndspassstore in future.

    • By:sashwin

      Currently ndsbackup utility is enhanced to use the password stored by ndspassstore. Other eDirectory utilities has to be enhanced to support the ndspassstore in future.

Comment