Universal Password Removal Utility 5

abstract

Universal Password Removal Utility, Version 5

Universal Password Removal Utility, Version 5 (rmupwd) is a tool that can be used to remove Universal Password, Simple Password, Distribution Password, and Challenge Response data from a user or users.

This update is built for eDirectory 9 and depends on OpenLDAP libraries. This update only provides 64-bit build of the utility for Linux and Windows platforms.

Filename: rmupwd-5.0.zip
Md5sum: 0c3f4bacf760b5a6d31d549f7ee85d40

details

Universal Password Removal Utility, Version 5 (rmupwd) is a tool that allows an administrator to remove Universal Password, Simple Password, Distribution Password, and Challenge Response data from a user or users.

Note: You are responsible for all costs in using this tool. There is not a way to recover data that is removed by this utility. If you are uncertain about using this utility, please contact Novell Technical Support.

 
Prerequisites:

For Linux workstations:
OpenLDAP Libraries
LDAP SDK Libraries (novell-NLDAPsdk)
LDAP Tools and Libraries (novell-NLDAPbase)
NetIQ Transport Layer Security Library (novell-ntls)

- Windows or Linux Server
Must have eDirectory running on the server.

To use Rmupwd:

Extract rmupwd-5.0.zip to a Linux or Windows workstation.

For Linux Servers:
1. Copy libnmasext.so to /usr/lib64
2. Make rmupwd executable by doing the following: "chmod 755 rumpwd"
3. Run ndspath.
(Otherwise you will get shared library errors.)

For example:
[hv@hv18 linux64]#cp libnmasext.so /usr/lib64
[hv@hv18 linux64]#chmod 755 rmupwd
[hv@hv18 linux64]#. /opt/novell/eDirectory/bin/ndspath
(Note the space between the leading dot [.] and the first slash [/].)

[hv@hv18 linux64]#./rmupwd

For Windows workstations:
Open a command prompt, Start | Run | Cmd | change to the directory of rmupwd, then type rmupwd.exe

For example:
C:\rmupwd.exe

Note: You may also pipe the output to a file by using the pipe to a filename.txt option, if the password is supplied inline.

Note: Rmupwd requires an SSL connection.

Exporting SSL Certificate to a DER file

In iManager:

iManager | Novell Certificate Server | Configure Certificate Authority | Select the Certificates tab | Select the Self Signed Certificate tab | Export | Uncheck the "Export private key" option | Verify the Export format is "Der" | Next | Click "Save the exported certificate" link and save to the desired location.

rmupwd usage: [-pwd|-cfg|-all] [ldap ip addr] [ssl port] [der file] [searchBase] [searchScope] [subjDN] [[subjPwd]]

[-pwd|-cfg|-all] : The -pwd option removes Universal Password, Distribution Password and Universal Password History. The -cfg option removes Challenge Response Data, Simple Password, and possibly 3rd party NMAS data. The -all option removes Universal Password, Distribution Password, Simple Password, Challenge Response Data, possibly 3rd party NMAS data, and Universal Password History.

[ldap ip addr] : IP address of the target LDAP server

[ssl port] : The LDAP SSL port of the target LDAP server (typically 636)

[der file] : DER encoded file of the Trusted Root Certificate for the target LDAP server

[searchBase] : LDAP DN that specifies a user or container.

[searchScope] : Values may be base, one or sub.

[subjDN] : The LDAP DN of the administrator that is requesting the operation.

[[subjPwd]] : The password of the administrator specified by the parameter. Note that this parameter is optional. If it is not included on the command line the user will be prompted for it.

More details on the values being removed with the the [-pwd|-cfg|-all] options.

-pwd
The -pwd option removes Universal Password, Distribution Password and Universal Password History.

The attributes that are removed are the following:
nspmPassword
nspmPasswordKey *
nspmDistributionPassword
nspmPasswordHistory
nspmPreviousDistributionPassword
pwdChangedTime

*NOTE: The nspmPasswordKey attribute will not be removed if the password policy does not have "Synchronize Distribution Password when setting Universal Password" set to true.  By default this is set to true.

-cfg
The -cfg option removes Challenge Response Data, Simple Password, and possibly 3rd party NMAS data.

The attributes that are removed are the following:
SAS:Login Secret
SAS:Login Secret Key
SAS:Login Configuration
SAS:Login Configuration Key

-all
The -all option removes Universal Password, Distribution Password, Simple Password, Challenge Response Data, possibly 3rd party NMAS data, and Universal Password History.

The attributes that are removed are the following:
SAS:Login Secret
SAS:Login Secret Key
SAS:Login Configuration
SAS:Login Configuration Key
nspmPassword
nspmPasswordKey
nspmDistributionPassword
nspmPasswordHistory
nspmPreviousDistributionPassword
pwdChangedTime

Examples:

rmupwd usage: [-pwd|-cfg|-all] [ldap ip addr] [ssl port] [der file] [searchBase] [searchScope] [subjDN] [[subjPwd]]

This example removes all attributes off user cn=user1,o=novell
rmupwd -all 192.168.79.30 636 c:\cert.der cn=user1,o=novell base cn=admin,o=novell
Password: ******
cn=user1,o=novell: password deleted

This example removes all attributes off all users contained in o=novell (one level search).
rmupwd -all 192.168.79.30 636 c:\cert.der o=novell one cn=admin,o=novell
Password:
ou=user1,o=novell: password deleted
cn=user2,o=novell: password deleted
cn=user3,o=novell: password deleted
cn=user4,o=novell: password deleted