cn=DNS AG APoitiers-123-4-567-8 - W2K-A-NDS,o=myCompany Valid from : 2008-Sep-02 23:30:47 [EDT] (2008-Sep-03 03:30:47 [GMT]) Valid until : 2010-Sep-02 23:30:47 [EDT] (2010-Sep-03 03:30:47 [GMT]) Will expire in 574 days. cn=DNS AG w2k-a - W2K-A-NDS,o=myCompany Valid from : 2006-Mar-20 20:43:48 [EST] (2006-Mar-21 01:43:48 [GMT]) Valid until : 2008-Mar-19 20:43:48 [EST] (2008-Mar-20 01:43:48 [GMT]) Expired 322 days ago!
As a showcase to demonstrate the flexibility and versatility of ldapGadget's
scripting power, we present here a number of ready-to-use modules
(affectionally known as LDAP Gadgets or LDAP Gizmos) that can help you with
your day-to-day network management tasks:
Attribute Tools Gadget
Often times we need to make a single change to a large number of objects in an LDAP database. The
"traditional" procedure has been to create a LDIF file similar to the following:
These gadgets were written using purely the Lua
scripting language and the Lua/LDAP extension
functions and features provided by ldapGadget.
title: new title1 goes here
title: new title2 goes here
and then process the file using ldapModify or similar tools. This may be sufficient for small number of
objects to be modified, but it becomes very time-consuming and potentially error-prone when dealing
with a large number of objects.
Another frequently performed task is to get a list of objects (users, for instance) that has a certain
attribute value. This is quite straight forward if the attribute value is either a text string (such as Title)
or a numeric value (such as Login Grace Limit) as it can be specified as part of the search filter.
However, if the desired information is a substring (such as department*) in a base64-encoded value or
is in a more complex attribute value such as ACL or Network Address, search filters would not be of
much help - but the Attribute Tools gadget can.
The Attribute Tools gadget is designed to make these reporting or modification tasks easy for you. This
gadget, a compiled ldapGadget script, allows you to:
Check number of attribute values. Report when an attribute has "x" number of
values (for instance, if CN has more than one value or if there are exactly 5 ACL
Look for a given value. Report when a specific attribute value exists - even if
this is a text sub-string within a login script or a structured attribute such as
Look for lack of a given value. Report when a specific attribute value does not
Report when an attribute exists, i.e., populated with one or more values.
Report when an attribute does not exist.
all without having to create any LDIF file or write a single line of scripting instruction. Attribute Tools
is a must-have gadget; add it to your toolbox today!
The majority of ldapSearch applications are command-line based and different platform
implementations tend to use different option flags and defaults, and this sometimes results in
The ldapSearch gadget offers you a GUI, leaving no room for confusion. Furthermore, you can store
your LDAP bind information, along with your often used baseDN and search filter, in a CFG file so you
do not have to enter them repeatedly; the password is stored encrypted.
In addition to the standard options found in all ldapSearch applications, the ldapSearch gadget has the
following advanced features:
Export LDAP data to a LDIF file with the attributes listed alphabetically, and
multi-valued attributes will have their data listed in ascending order.
Export LDAP data directly to a CSV file, without having to first exporting to
LDIF and then convert.
Include decoded Base64 data as comment within LDIF for reference purposes,
or not to encode binary data in Base64 format at all.
Export entries sorted by parent DN so that all objects are grouped by
containers instead of in whatever order returned by the LDAP server; this also
sorts objects within a container alphabetically.
Export Universal Password, stored in encrypted format for security, and be
able to be re-imported using the ldapModify gadget.
Export U/P via the userPassword pseudo attribute, either in SSHA (4-byte salt)
or cleartext format.
Execute a user-defined function after data has been exported; this allows you
to export and process the data all within the same gadget.
Run in unattended mode, under a scheduler, so you can automate exports.
Download the ldapSearch gadget and set it up by storing your often used LDAP bind-related information
in the ldapGadget.cfg file, create a short-cut on your desktop, and you are ready to put it to work
much more easily and efficiently than any other ldapSearch utility, including the ICE wizard found
within ConsoleOne or iManager.
LDIF-CSV Converter Gadget
Often times, you need to import data from an application (such as a mainframe export or from a
spreadsheet) into the LDAP database, but the information comes in the form of a CSV file, and not LDIF
as required. There are often instances when you need to export data from LDAP and import them to
another (non-LDAP enabled) application, which does not understand LDIF but does accept CSV files.
The LDIF-CSV Converter gadget can convert data between LDIF and CSV format with ease. It also offers
some features not found in other LDIF-CSV converters:
KMO Reporter Gadget
SSL certificates (also known as KMOs, Key Material Objects, in the Novell terminology) are frequently
used to secure critical and sensitive information (such as passwords and financial data) across numerous
communication protocols and platforms including, but not limited to: intranet, e-mail, Web sites and
portals, FTP and SSH servers.
Much like passports or driver licenses, each certificate contains a number of data fields that indicate
the "source" (e.g., organization) to which the certificate was issued to. One of these information fields
has constantly given network administrators grief - the validity period.
Each certificate has a validity period which specifies between what dates (and time) the given
certificate is to be considered valid by the clients. Most client and server applications will check a
certificate's validity period before using its content. If a client or server application detects that a
certificate has expired, one or more implementation specific actions (such as abort connection) are
typically performed. Similarly, when a SSL-enabled service (such as Apache web server) starts up and
finds its associated certificate expired, the application will generally abort resulting in a service
interruption or fallbacks to use unsecure connections if such a mechanism is permitted.
The KMO Reporter gadget is specifically designed to detect expired certificates and provides warning
on certificates in your eDirectory that are about to expire:
This gadget also reports on the status and some internal certificate information of the eDirectory tree
CA and the associated Trusted Root / Self-Signed certificate. The CA is found in the CN=Security
container under [Root], and is named after the eDirectory tree name, such as MY_TEST_TREE CA.
Get the KMO Reporter and keep your KMOs in check!
One of the mostly commonly used LDAP management tool is ldapModify. It reads and processes the
change records found in a LDIF file, similar to the following:
Frequently, although the information you wish to modify is available as an LDIF file, but it contains no
changetype data. Such records are known as content records (as opposed to change records), and are
typically generated by ldapSearch or similar tools. That means you need to "massage" the LDIF file into
the above format before it can be processed by ldapModify.
Some implementations of ldapModify (such as the version included with eDirectory) have options that
allow content records to be used as add change records. Tne ldapModify gadget supports this particular
feature, and more. Not only can this ldapModify gadget allow content records to be used as add
change records, it allows the following default actions:
title: new title1 goes here
title: new title2 goes here
o replace values in existing DNs
o add values to existing DNs
o delete values from existing DNs
o add DN and then add values
o delete DN
In essence, combining the functionalities of ldapModify, ldapAdd, and ldapDelete into a single module.
You can also mix change records and contents records in the same LDIF file (even though it is not
allowed by the RFC) for the ldapModify gadget to process. For example, if the default changeType
action is set to Add DN and value, the following LDIF will result in the object cn=user2A,o=location be
created and cn=user2,o=location be modified:
title: new title2A goes here
title: new title2 goes here
The ldapModify gadget also allows you to set a DN's Simple Password via the userPassword attribute,
and supports setting the DN's Universal Password that was previously exported by the ldapSearch
gadget (using the $up$ pseudo attribute).
You can also use CSV files with the ldapModify gadget. Version 2.0 and later allows you to barch
disable or enable eDirectory users from a LDIF or CSV file, or to batch delete DNs.
Replace your current ldapModify/ldapAdd/ldapDelete applications with the all-in-one ldapModify
gadget today. You will be glad you did!
Password Status Tool Gadget
Password management is probably among the top 5 most commonly, if not the most often, performed
task handled by helpdesks and network administrators. More often than not, the root cause is expired
password rather than forgotten password. Therefore, the main function of the Password Status Tool
gadget is to report on password expiration status and related settings, such as grace logins, for auditing
and management purposes. As an added bonus, it can send automatic reminders to users when their
passwords are about to expire.
The Password Status Tool gadget, a compiled ldapGadget script, helps you to perform the following
Ability to skip fields when converting from CSV to LDIF.
Handles multiple-valued attributes.
Special identifiers to indicate Base64-encoded values when converting from CSV to LDIF.
Converts LDIF attributes to CSV fields in any order that you specify, and you can skip
When user passwords will expire within the next "x" days, along with how
many grace logins they have remaining.
If users whose passwords have already expired, along with how many grace
logins they have remaining.
Users who has no password expiration dates.
Users who are about to run out of grace logins.
Users who has unlimited grace logins.
You can send an email notification to those users whose passwords will be expiring, reminding them
to change their passwords. You can customize the wording using a template file (plain text or HTML)
where you can include information from the LDAP datastore (such as user's first name and other
data) and insert specific text based on how soon the password will expire.
As an added bonus, the Password Status Tool can mass-expire passwords by setting the Password
Expiration Time to an earlier date (January 01, 2001), and set the Grace Login Remaining to 1, thus
forcing the users to change their passwords at the next login.
Get your copy of Password Status Tool gadget now and start keeping your users informed of their
password expiration status. Also use the reports to give your helpdesk a heads-up on who may be
calling with password issues.
LDAP Gadget Licensing Information
Unless otherwise noted, each LDAP Gadget supports two running modes within the same module file:
a freeware mode and a licensed mode.
When a license key for the particular Gadget is not found in the ldapGadget.cfg file, the module runs in
the freeware mode where some features are disabled. For instance, under the freeware mode, the
ldapSearch gadget will not be able to export the userPassword pseudo attribute in cleartext format.
LDAP Gadget Screen Shots
The following are screen shots for each of the LDAP Gadgets mentioned above; click on a screen shot
to see a larger image.
ldapgadget -m ldapsearch -eval
Please refer to the Registration section in each Gadget's documentation to see what features are not
available under its freeware mode of operation.
You may use the freeware version for as long as you like and there is no obligation to register.
The licensing for LDAP Gadgets is similar to ldapGadget's in that the LDAP Gadgets are licensed per
site, regardless of number of LDAP datastores. The licensed LDAP Gadget is always for unlimited
number of objects.
If you wish to try out the advanced features before purchasing a license, simply include
-eval as one of the command-line options:
A handy gadget to have in your administration toolbox!
Set attribute value. Sets the attribute to a specific value, and overwrite existing values.
Add attribute value. Add a value to an attribute if the value does not already exist, and
does not overwrite any existing value.
Delete a specific attribute value, even if it is found inside a structured attribute.
Add a value only if the attribute does not already exist.
Delete an attribute, i.e., remove all values.
User Status Tool Gadget
Other than password mangement, the other often performed network management task is dealing with
user IDs. And determining account status, such as if an ID has not been used for weeks or if there exists
IDs that were never used, is high on the list for security-minded administrators and is helpful in
The User Status Tool gadget can provide you with the following reports:
Report inactive IDs, and optionally disable them
Report never-used IDs, and optionally disable them
Report expired IDs, or IDs that are about to expire
Report IDs that are currently logged-in
Report IDs that are not currently logged-in
Report intruder-locked IDs
Report IDs that are about to be intruder-locked
Get your copy of User Status Tool gadget now and start keeping track of your users' ID status. Use the
reports to better understanding and secure your network.
Trustee Finder Gadget
Easily obtain a trustee assignment report (in the form of a CSV file) for specific user and group objects
(or any other object types) that have file system trustee rights to all volumes on a given server.
Get your copy of Trustee Finder gadget now and use the reports to better understanding and secure
your file system.
Intruder Detection Settings Tool Gadget
It is often a chore to set or change a large number of containers' intruder detection settings. However,
the Intruder Detection Settings Tool gadget can make this task easy - you can standardize all your
settings in less than one minute!
Get your copy of Intruder Detection Settings Tool gadget now and use it to report on your exsting
settings and to standardize the settings across all your containers!
NetWare Group Tool Gadget
Need to quickly add or remove a large number of users to a group and it takes too long and
cumbersome to build the necessary LDIF file? Need to fix up inconsistent group/user relationships? The
NetWare Group Tool gadget is your friend!
Get your copy of NetWare Group Tool gadget now and see how it can save you hours in dealing and
troubleshooting group-related issues.