|
|
DreamLAN.com | A posse ad esse : Creating dream solutions
DreamLAN.com | A posse ad esse : Creating dream solutions
cn=DNS AG APoitiers-123-4-567-8 - W2K-A-NDS,o=myCompany Valid from : 2008-Sep-02 23:30:47 [EDT] (2008-Sep-03 03:30:47 [GMT]) Valid until : 2010-Sep-02 23:30:47 [EDT] (2010-Sep-03 03:30:47 [GMT]) Will expire in 574 days. cn=DNS AG w2k-a - W2K-A-NDS,o=myCompany Valid from : 2006-Mar-20 20:43:48 [EST] (2006-Mar-21 01:43:48 [GMT]) Valid until : 2008-Mar-19 20:43:48 [EST] (2008-Mar-20 01:43:48 [GMT]) Expired 322 days ago!
(Last updated: October 30, 2010)
o Attribute Tools
o Group Tool
o Intruder Detection Settings Tool
o KMO Reporter
o ldapModify
o ldapSearch
o LDIF-CSV Converter
o Password Status Tool
o Trustee Finder
o User Status Tool
o LDAP Gadget Licensing Information
o LDAP Gadget Screen Shots
o Attribute Tools
o Group Tool
o Intruder Detection Settings Tool
o KMO Reporter
o ldapModify
o ldapSearch
o LDIF-CSV Converter
o Password Status Tool
o Trustee Finder
o User Status Tool
o LDAP Gadget Licensing Information
o LDAP Gadget Screen Shots
Ready-to-Run Gadgets As a showcase to demonstrate the flexibility and versatility of ldapGadget's scripting power, we present here a number of ready-to-use modules (affectionally known as LDAP Gadgets or LDAP Gizmos) that can help you with your day-to-day network management tasks: |
Attribute Tools Gadget Often times we need to make a single change to a large number of objects in an LDAP database. The "traditional" procedure has been to create a LDIF file similar to the following: |
These gadgets were written using purely the Lua scripting language and the Lua/LDAP extension functions and features provided by ldapGadget. |
version: 1 dn: cn=user1,o=location changetype: add add: title title: new title1 goes here dn: cn=user2,o=location changetype: add add: title title: new title2 goes here |
and then process the file using ldapModify or similar tools. This may be sufficient for small number of objects to be modified, but it becomes very time-consuming and potentially error-prone when dealing with a large number of objects. Another frequently performed task is to get a list of objects (users, for instance) that has a certain attribute value. This is quite straight forward if the attribute value is either a text string (such as Title) or a numeric value (such as Login Grace Limit) as it can be specified as part of the search filter. However, if the desired information is a substring (such as department*) in a base64-encoded value or is in a more complex attribute value such as ACL or Network Address, search filters would not be of much help - but the Attribute Tools gadget can. The Attribute Tools gadget is designed to make these reporting or modification tasks easy for you. This gadget, a compiled ldapGadget script, allows you to: |
Check number of attribute values. Report when an attribute has "x" number of values (for instance, if CN has more than one value or if there are exactly 5 ACL values). Look for a given value. Report when a specific attribute value exists - even if this is a text sub-string within a login script or a structured attribute such as Network Address. Look for lack of a given value. Report when a specific attribute value does not exist. Report when an attribute exists, i.e., populated with one or more values. Report when an attribute does not exist. |
all without having to create any LDIF file or write a single line of scripting instruction. Attribute Tools is a must-have gadget; add it to your toolbox today! |
ldapSearch Gadget The majority of ldapSearch applications are command-line based and different platform implementations tend to use different option flags and defaults, and this sometimes results in confusions. The ldapSearch gadget offers you a GUI, leaving no room for confusion. Furthermore, you can store your LDAP bind information, along with your often used baseDN and search filter, in a CFG file so you do not have to enter them repeatedly; the password is stored encrypted. In addition to the standard options found in all ldapSearch applications, the ldapSearch gadget has the following advanced features: |
Export LDAP data to a LDIF file with the attributes listed alphabetically, and multi-valued attributes will have their data listed in ascending order. Export LDAP data directly to a CSV file, without having to first exporting to LDIF and then convert. Include decoded Base64 data as comment within LDIF for reference purposes, or not to encode binary data in Base64 format at all. Export entries sorted by parent DN so that all objects are grouped by containers instead of in whatever order returned by the LDAP server; this also sorts objects within a container alphabetically. Export Universal Password, stored in encrypted format for security, and be able to be re-imported using the ldapModify gadget. Export U/P via the userPassword pseudo attribute, either in SSHA (4-byte salt) or cleartext format. Execute a user-defined function after data has been exported; this allows you to export and process the data all within the same gadget. Run in unattended mode, under a scheduler, so you can automate exports. |
Download the ldapSearch gadget and set it up by storing your often used LDAP bind-related information in the ldapGadget.cfg file, create a short-cut on your desktop, and you are ready to put it to work much more easily and efficiently than any other ldapSearch utility, including the ICE wizard found within ConsoleOne or iManager. |
LDIF-CSV Converter Gadget Often times, you need to import data from an application (such as a mainframe export or from a spreadsheet) into the LDAP database, but the information comes in the form of a CSV file, and not LDIF as required. There are often instances when you need to export data from LDAP and import them to another (non-LDAP enabled) application, which does not understand LDIF but does accept CSV files. The LDIF-CSV Converter gadget can convert data between LDIF and CSV format with ease. It also offers some features not found in other LDIF-CSV converters: |
KMO Reporter Gadget SSL certificates (also known as KMOs, Key Material Objects, in the Novell terminology) are frequently used to secure critical and sensitive information (such as passwords and financial data) across numerous communication protocols and platforms including, but not limited to: intranet, e-mail, Web sites and portals, FTP and SSH servers. Much like passports or driver licenses, each certificate contains a number of data fields that indicate the "source" (e.g., organization) to which the certificate was issued to. One of these information fields has constantly given network administrators grief - the validity period. Each certificate has a validity period which specifies between what dates (and time) the given certificate is to be considered valid by the clients. Most client and server applications will check a certificate's validity period before using its content. If a client or server application detects that a certificate has expired, one or more implementation specific actions (such as abort connection) are typically performed. Similarly, when a SSL-enabled service (such as Apache web server) starts up and finds its associated certificate expired, the application will generally abort resulting in a service interruption or fallbacks to use unsecure connections if such a mechanism is permitted. |
The KMO Reporter gadget is specifically designed to detect expired certificates and provides warning on certificates in your eDirectory that are about to expire: |
This gadget also reports on the status and some internal certificate information of the eDirectory tree CA and the associated Trusted Root / Self-Signed certificate. The CA is found in the CN=Security container under [Root], and is named after the eDirectory tree name, such as MY_TEST_TREE CA. Get the KMO Reporter and keep your KMOs in check! |
ldapModify Gadget One of the mostly commonly used LDAP management tool is ldapModify. It reads and processes the change records found in a LDIF file, similar to the following: |
Frequently, although the information you wish to modify is available as an LDIF file, but it contains no changetype data. Such records are known as content records (as opposed to change records), and are typically generated by ldapSearch or similar tools. That means you need to "massage" the LDIF file into the above format before it can be processed by ldapModify. Some implementations of ldapModify (such as the version included with eDirectory) have options that allow content records to be used as add change records. Tne ldapModify gadget supports this particular feature, and more. Not only can this ldapModify gadget allow content records to be used as add change records, it allows the following default actions: |
version: 1 dn: cn=user1,o=location changetype: add add: title title: new title1 goes here - delete: department - replace: mail mail: user1@domain.org - dn: cn=user2,o=location changetype: add add: title title: new title2 goes here |
o replace values in existing DNs o add values to existing DNs o delete values from existing DNs o add DN and then add values o delete DN |
In essence, combining the functionalities of ldapModify, ldapAdd, and ldapDelete into a single module. You can also mix change records and contents records in the same LDIF file (even though it is not allowed by the RFC) for the ldapModify gadget to process. For example, if the default changeType action is set to Add DN and value, the following LDIF will result in the object cn=user2A,o=location be created and cn=user2,o=location be modified: |
dn: cn=user2A,o=location objectclass: inetorgperson sn: user title: new title2A goes here dn: cn=user2,o=location changetype: modify replace: title title: new title2 goes here |
The ldapModify gadget also allows you to set a DN's Simple Password via the userPassword attribute, and supports setting the DN's Universal Password that was previously exported by the ldapSearch gadget (using the $up$ pseudo attribute). You can also use CSV files with the ldapModify gadget. Version 2.0 and later allows you to barch disable or enable eDirectory users from a LDIF or CSV file, or to batch delete DNs. Replace your current ldapModify/ldapAdd/ldapDelete applications with the all-in-one ldapModify gadget today. You will be glad you did! |
Password Status Tool Gadget Password management is probably among the top 5 most commonly, if not the most often, performed task handled by helpdesks and network administrators. More often than not, the root cause is expired password rather than forgotten password. Therefore, the main function of the Password Status Tool gadget is to report on password expiration status and related settings, such as grace logins, for auditing and management purposes. As an added bonus, it can send automatic reminders to users when their passwords are about to expire. The Password Status Tool gadget, a compiled ldapGadget script, helps you to perform the following reporting tasks: |
Ability to skip fields when converting from CSV to LDIF. Handles multiple-valued attributes. Special identifiers to indicate Base64-encoded values when converting from CSV to LDIF. Converts LDIF attributes to CSV fields in any order that you specify, and you can skip attributes. |
When user passwords will expire within the next "x" days, along with how many grace logins they have remaining. If users whose passwords have already expired, along with how many grace logins they have remaining. Users who has no password expiration dates. Users who are about to run out of grace logins. Users who has unlimited grace logins. |
You can send an email notification to those users whose passwords will be expiring, reminding them to change their passwords. You can customize the wording using a template file (plain text or HTML) where you can include information from the LDAP datastore (such as user's first name and other data) and insert specific text based on how soon the password will expire. As an added bonus, the Password Status Tool can mass-expire passwords by setting the Password Expiration Time to an earlier date (January 01, 2001), and set the Grace Login Remaining to 1, thus forcing the users to change their passwords at the next login. Get your copy of Password Status Tool gadget now and start keeping your users informed of their password expiration status. Also use the reports to give your helpdesk a heads-up on who may be calling with password issues. |
LDAP Gadget Licensing Information Unless otherwise noted, each LDAP Gadget supports two running modes within the same module file: a freeware mode and a licensed mode. When a license key for the particular Gadget is not found in the ldapGadget.cfg file, the module runs in the freeware mode where some features are disabled. For instance, under the freeware mode, the ldapSearch gadget will not be able to export the userPassword pseudo attribute in cleartext format. |
LDAP Gadget Screen Shots The following are screen shots for each of the LDAP Gadgets mentioned above; click on a screen shot to see a larger image. |
ldapgadget -m ldapsearch -eval |
Please refer to the Registration section in each Gadget's documentation to see what features are not available under its freeware mode of operation. You may use the freeware version for as long as you like and there is no obligation to register. The licensing for LDAP Gadgets is similar to ldapGadget's in that the LDAP Gadgets are licensed per site, regardless of number of LDAP datastores. The licensed LDAP Gadget is always for unlimited number of objects. |
If you wish to try out the advanced features before purchasing a license, simply include -eval as one of the command-line options: |
A handy gadget to have in your administration toolbox! |
Set attribute value. Sets the attribute to a specific value, and overwrite existing values. Add attribute value. Add a value to an attribute if the value does not already exist, and does not overwrite any existing value. Delete a specific attribute value, even if it is found inside a structured attribute. Add a value only if the attribute does not already exist. Delete an attribute, i.e., remove all values. |
User Status Tool Gadget Other than password mangement, the other often performed network management task is dealing with user IDs. And determining account status, such as if an ID has not been used for weeks or if there exists IDs that were never used, is high on the list for security-minded administrators and is helpful in checking license-compliance. The User Status Tool gadget can provide you with the following reports: |
Report inactive IDs, and optionally disable them Report never-used IDs, and optionally disable them Report expired IDs, or IDs that are about to expire Report IDs that are currently logged-in Report IDs that are not currently logged-in Report intruder-locked IDs Report IDs that are about to be intruder-locked |
Get your copy of User Status Tool gadget now and start keeping track of your users' ID status. Use the reports to better understanding and secure your network. |
Trustee Finder Gadget Easily obtain a trustee assignment report (in the form of a CSV file) for specific user and group objects (or any other object types) that have file system trustee rights to all volumes on a given server. |
Get your copy of Trustee Finder gadget now and use the reports to better understanding and secure your file system. |
Intruder Detection Settings Tool Gadget It is often a chore to set or change a large number of containers' intruder detection settings. However, the Intruder Detection Settings Tool gadget can make this task easy - you can standardize all your settings in less than one minute! |
Get your copy of Intruder Detection Settings Tool gadget now and use it to report on your exsting settings and to standardize the settings across all your containers! |
NetWare Group Tool Gadget Need to quickly add or remove a large number of users to a group and it takes too long and cumbersome to build the necessary LDIF file? Need to fix up inconsistent group/user relationships? The NetWare Group Tool gadget is your friend! |
Get your copy of NetWare Group Tool gadget now and see how it can save you hours in dealing and troubleshooting group-related issues. |