README FIRST ********************************************************************* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ********************************************************************* Console2 3.70 https://sneakycat.biz Telegram channel: https://t.me/console2 This is a application that can replace some iManager/Designer/ConsoleOne/dxcmd functions. The main goal is to collect all the functions that I use the most in one application. Use this software at your own risk. --> No warranty is provided. If you don't like it, don't use it. --> No support is provided. --> Data loss may occur if using this software. If you don't want to take that risk, don't use it. --> Make sure you have a backup of your LDAP directory before using Console2. ***** LICENSE ***** From v3.x Console2 is charityware, it requires a license file to use. 1 license == 1 user ***** Obtaining a license file ***** To receive a license file you must donate $100 USD or more to a charity of your choice. After e-mailing me your details at info@sneakycat.biz you will receive a ONE (1) user license valid for Console2 v3.x. In case you can't make a donation we can arrange it through other channels: A) Invoice - e-mail me at info@snekycat.biz B) PayPal - e-mail me at info@snekycat.biz first C) Other means - e-mail me at info@snekycat.biz The license is personal and may be used only by ONE (1) person. You may use the application on as many computers you want. The license doesn't grant you any privileges except the right to use the application. The license doesn't grant you any right to support or help, although I will probably respond to e-mail but it's not something you can take for granted. If you find the software useful please make a donation, it's something everybody working with IDM should be able to afford. ***** System Requirements ***** Client: Minimum screen resolution: 1280x768 - absolute minimum that is. Oracle Java JRE 1.8.0_181 or higher Client tested on Windows 10 x64. It /should/ work on "any" platform with the correct JRE. Java 9 workaround: Use the following command to run Console2 with Java 9: java --add-exports java.naming/com.sun.jndi.ldap=ALL-UNNAMED -jar ldapmu_upc.jar If using 4K or other Hi-DPI screens I recommend that you use Java 9 or newer. Serverside requirements: - eDirectory with LDAP(S) - Value index for the "Object Class" attribute *highly* recommended Tested with: IDM 4.5/4.6/4.7 on Linux eDirectory 8.8.8/9.1 on Linux It /should/ work with IDM 3.5.0 or higher but I haven't tried (if using IDM functions). Previous version have been tested with IDM 3.6.1/4.0.0/4.0.1 and eDirectory 8.8.5/8.8.6/8.8.7/9.0 Known Issues: * The simple paged result control used for the "Association Manager" function doesn't work on NetWare 6.5.SP8 with eDirectory 8.8.4. Use asynchronous/synchronous mode instead. * The IDM extended operations don't work reliably on 64-bit eDirectory versions prior to 8.8.7 where the ndsd process has allocated a large amount of memory (tested with 2-4GB). You will get different error messages in C2 when that happens. The operation fails with the following error in DSTrace: 10:34:37 40D0B940 LDAP: DoExtended on connection 0x6dd41a00 10:34:37 40D0B940 LDAP: DoExtended: Extension Request OID: 2.16.840.1.113719.1.14.100.7 10:34:37 40D0B940 LDAP: malloc of 9 bytes failed 10:34:37 40D0B940 LDAP: Unable to alloc data memory in NLDAPSetResponseBer 10:34:37 40D0B940 LDAP: Sending operation result 0:"":"" to connection 0x6dd41a00 Solution: Upgrade to 8.8.7 or newer Features: * Profiles for multiple eDirectory trees which you can save/load - The logon password can be encrypted before the profile is saved # Since v1.1 Console2 supports connections to Active Directory as well. * Profiles can be moved between computers using the Export/Import function * Saved profiles can be deleted * IDM functions - List IDM drivers - Show/change driver status on different servers (Use the Change Server button to connect to another IDM server and use the Initial server button to return to the original server you connected to) # Show if a driver is started/stopped/disabled etc. # You may start/stop drivers # Show startup settings, autostart, manual, disabled # You may change the startup settings # Restart driver button (v2.0) - Show/change driver trace level - Show/change driver trace file size (v1.5) - Show/change driver trace path (v1.5) - Get driver statistics (v1.0) # Cache size # Number of events in the cache - Show if the driver object password, remote loader password and application password is set # Clear/set the application password # Clear/set the remote loader password # Set the driver object password - "Association Manager" feature (v2.5) -> Initiate a "migrate from identity vault" feature # Select the appropriate radio button # Enter a valid LDAP filter and select the driver on which you want to initiate the migrate on # You may also enter a base DN if you want # You can choose to resync only associated objects, only unassociated objects or both (standard) (v0.92) # You can choose to delete the association value when resyncing (v0.92) # You can choose the mode of operation, Simple Paged Results or Asynchronous search (v1.0) # You can set the page size for simple paged mode (v1.5) # You can use the synchronous method (v1.5) # You can pause the resync process for N seconds every N entries (v1.9) # Statistics on how many entries were resynced and the time it took (v1.9) -> Delete associations (v2.5) - use at your own risk # Select the appropriate radio button # Select a driver, enter a valid LDAP filter and choose the association state to search for # Associations on objects found by the filter will be deleted # Synchronous search mode is used automatically -> Export associations (v2.5) - use at your own risk # Select the appropriate radio button # Select a driver, enter a valid LDAP filter and choose the association state to search for # Associations on objects found by the filter will be exported to a textfile together with the object DN in the following format: cn=object,o=acme cn=driver,cn=driverdn,o=acme#1#{123-ABC} Notice that the object DN and and the association are separated by a tab (\t) # Synchronous search mode is used automatically -> Import associations (v2.5) - use at your own risk # Select the appropriate radio button # Click the button and choose the file to import # The textfile must be formatted like this: cn=object,o=acme cn=driver,cn=driverdn,o=acme#1#{123-ABC} Notice that the object DN and and the association are separated by a tab (\t) You can only have ONE object per row # The function will NOT overwrite existing associations, if the association already exists the operation will fail # If you already have an association for the same driver on a object you will get double associations unless you delete those associations before importing -> Test results button (v2.7) # Displays the objects that will be affected when you perform a migrate/delete/export -> Display generated LDAP filter button (v2.7) -> Search for base DN (v2.7) - Manage Named Passwords (v1.5) # Currently in "beta" mode - Manage IDM jobs (v1.5) # Currently in "beta" mode # Set job trace level (v2.0) # Set job trace file path (v2.0) # Set job trace file size (v2.0) - Send XDS documents to IDM (v2.0) # Replicates the following dxcmd functionality: * Submit XDS command document to driver * Submit XDS event document to driver * Queue event for driver # Type in the XDS XML directly or read from a valid XML file # For each XDS operation in a file (add, modify, delete etc.) the program sends a separate XDS document to IDM * Universal Password funtions - Using the search box on the main screen you can search for users and retrieve Universal Password information # You can see the Effective password policy for the user # You can see if Universal Password is enabled for the user # You can see if the Universal Password is set # You can see if the Universal Password history is full # You can see if the NDS password matches the Universal Password # You can see if the Simple Password matches the Universal Password # You can see if the Universal Password is older than the NDS password # You can see if the Simple Password is set # You can see if the Simple Password is in cleartext # You can see if the NDS password matches the Simple Password # You can see if the Universal Password confirms with the password policy # You can assign password policys to objects (v1.5) # You can delete the Universal Password or Simple Password from objects (v1.5) # You can set the Simple Password on objects (depending on password policy) (v1.5) # You can read the Simple Password from objects (v1.5) * Login settings functions - After clicking on a user in the search results box you can use the tabs to change login settings, click Save to apply the new settings # View/change Login Disabled # View/change Login Activation Time # View/change Login Expiration Time # View/change Grace Login settings # View loginTime and lastLoginTime # View/change Password Expiration Time # View/change various Password settings # View/change Locked By Intruder # View Intruder attempts/address/intruder reset time (Only the IP-address is handled correctly) # View the pwdChangedTime and pwdFailureTime attributes (v1.1) * Test username/password on multiple trees at once (v0.92) - Multiple Tree Logon Check, try to logon to up to 5 trees at once to verify that the password is correctly synced # Since v1.1 you can connect to Active Directory as well. - Select if want to use SSL or not (per connection) (v1.1) - Select if the system is eDirectory or Active Directory (v1.1) - Enter another attribute name to use for each connection besides the default one in the combobox. If the field is left empty it will use the default. (v1.1) * Active Directory support (v1.1) - Display the following timestamp values in readable format: # lastLogonTimestamp # lastLogon # pwdLastSet # lockoutTime # badPasswordTime # accountExpires - After searching for a user and clicking on the search result you can use the AD tab to see/change the following: # Enable/disable the account. # Unlock the account if it's locked out. # Set/unset "Password not required" # Set/unset "Password never expires" # See if the password has expired. # Set/unset that the user must change password on next login. * Improved Active Directory support (v3.0) - Display the following information, if AD level supports those features or if they are enabled through GPO. # Password Expiry Time # Last Interactive Logon # Failed Interactive Logon # Failed Interactive Logon Count # Failed Interactive Logon Count At Last Successful Logon # Authenticated by DC (if authenticated by a Read Only Domain Controller) * Attribute viewer (v1.1) - By doubleclicking on a search result or pressing enter on the keyboard you can bring up a simple attribute viewer that display all attributes including operational attributes. Note: All attributes are displayed as simple strings. * Delete objects (v2.5) - Select an object in the search view and click "Extra" in the menu and then "Delete selected item". * Reciprocal attributes updater (v2.5) - Click "Extra" in the menu and the "Reciprocal" This is standard in all normal eDirectory tools such as iManager, ConsoleOne If you add a user to a group those tools update the Group Membership attribute on the user and the Member attribute on the group. This tool allows you to perform the same operation but it can update any attribute you specify. * Lotus Domino support (v2.7) - Since v2.7 you can connect to an Lotus Domino LDAP server. Tested with v8.5.3. - You can change users HTTPPassword - Doubleclick on the user in the search results window to display the attribute viewer. - Some password related attributes are displayed in the "Domino" tab. * ADLDS support (v2.7) - Tested with Microsoft ADLDS on Windows 2008 R2. - Usually requires a base DN to be entered when searching. * Root DSE viewer (v2.7) - Click on Extra -> root DSE viewer - Displays the root DSE of the server you are connected to. * Export eDirectory CA public key (v2.7) - Click on extra -> Export eDirectory CA public key Allows you to export the eDirectory root CA public key to DER or Base 64 format. Instead of using iManager or ConsoleOne. Useful when you need the certificate for Remote Loader, for ICE or some other utility that wants to verify the server certificate. * Check for new version (v2.7) - In the "Help" menu. Takes you to the Cool Solutions page for C2. * LDAP filter generator (v3.0) - menu Extra -> Batch operations Click the little black cat icon. This allows you to generate an LDAP filter by pasting in values, one per row. Example, you can enter something like this: 1 2 3 etc. Then you must enter a name for the attribute, for example workforceID. The Generate button will then create an AND or OR filter depending on your choices. You can also select to append a static filter to the generated one. The filter will then look something like this: (|(workforceID=1)(worforceID=2)(workforceID=3)) Very effective if you have hundreds of values you need to search for. * Reciprocal attribute report generator (v3.0) - menu Extra -> Reciprocal Report Allows you to find objects where the reciprocal attribute values are missing. For example if you have a group and a user in eDirectory then the user that is a member of a group will have the attribute groupMembership which will point to the group. The group will have the attribute member which will point to the user. The report generator can be used to find all objects that have the groupMembership attribute and then check each group to make sure that they have the user listed in their member attribute. In case that the user is missing from the member attribute this will be written to a logfile named "ReciprocalReportyyyy-MM-dd HH_mm_ss.txt" You can enter any DN attribute name to check. * Multivalue counter (v3.0) - menu Extra -> Value Count report Allows you to search for attributes that contain more than a specified number of values. Say you want to find all objects that have two e-mail addresses, you can enter the following in the search window: mail,2 The application will fetch all objects containing the mail attribute and show you which one contain two or more values. Beside being displayed on screen an LDIF file will also be created in the C2 directory. The file is named MultiValueFinderyyyy-MM-dd HH_mm_ss.ldif You can enter multiple attributes to search for, one on each line. Example: mail,2 sn,2 This will cause the application to search for all objects that contain BOTH the mail and sn attribute AND that contain two or more values in those attributes. * IDM CheckObjectPassword operation. (v3.0) Menu Extra -> Batch operations This allows you to perform the CheckObjectPassword check that can be performed using iManager/dxcmd for all objects that match an LDAP filter. Instead of checking one object at a time you can check thousands of objects at once. You can choose to display the results on screen or save them to a file. The CheckObjectPassword performs the following for each object: LDAP request to check the nspmDistributionPassword value of an eDirectory object against the object's associated password in a connected system. This requires special rights in the directory, admin rights or the following: Rights needed: The request issuer must have Manage Password rights to the target object, or must be authenticated as the target object. To check the password of the issuer's object, the issuer must have read access to the DirXML-AccessCheckObjectPassword attribute on the target DirXML-Driver object. To check the password of any object, the issuer must have write access to the DirXML-AccessCheckObjectPassword attribute on the target DirXML-Driver object. Manage Password rights means that the request issuer has either write access to the ACL attribute on the target object or has write access to the Password Management attribute on the target object. * Import LDIF files. - menu Extra -> Batch operations (v3.0) * Export LDIF files. - menu Extra -> Batch operations (v3.0) * Export a drivers cache to an XML file. (v3.0) Menu IDM -> Dump driver cache to file Select the driver which must be stopped and enabled, select the output file and press the perform operation button. No progress bar in this version! * "Profile Manager" for managing all connection profiles. (v3.0) Here you can add new connection profiles, change and delete existing profile. You can also test your connections. You may also import connections from Apache Directory Studio. * Display the GUID on Active Directory and eDirectory object on the "Extra" tab. (v3.0) Display the GUID in readable format and in a format that can be used in an LDAP filter. * DirXML-PasswordSyncStatus decoder button on the "Password" tab. (v3.0) Decodes the information in the "DirXML-PasswordSyncStatus" attribute on a user and shows it in a readable format. * OpenDJ support (v3.0) Displays the UUID, pwdChangedTime and last login time information on the OpenDJ tab. The name of the "last login time" attribute is fetched from the password policy assigned to the object selected. Supports setting the password on an OpenDJ user. The name of the password attribute is fetched from the password policy assigned to the object selected. * Edit Novell/NetIQ IDM event auditing filter (v3.0) Copy settings from selected driver set or driver to any driver set or driver in the same or a different tree. Export and import settings to/from a text file. * Copy eDirectory auditing instrumentation settings (v3.0) Configure one eDirectory server as you want it using iManager and the auditing plugin. Copy those settings to any number of servers in the same tree or any other tree. Select multiple destination servers at once. Export auditing settings to a file and import auditing settings from a file. * Create/edit/copy eDirectory indexes (v3.0) Create new indexes. Delete indexes. Copy indexes between servers and trees. Create compound indexes (v3.55) * Schema editor (v3.0) Edit the LDAP schema - tested only with eDirectory. Create new classes and attributes. Edit existing classes and attributes. View class and attribute information. Display classes/attributes with custom qualifier flags, such as X_PUBLIC_READ. Copy classes and attributes between different eDirectory trees. View syntax information, which attributes use which syntax. * Check Universal Password Status (v3.0) The function performs Universal Password check for all password enabled objects in the tree and writes the results to a file. * Bulk update attributes from CSV (v3.0) The function performs a import from a CSV file. * Manage the NMAS OATH HOTP method on a single user (v3.0) Enable/disable OTP See if the OATH OTP Secret is set See and change the OTP counter See and change the OTP digits number See and change OTP user resync look-ahead window Generate a new OTP secret and display the result in Hex and Base32 format. * Edit attributes directly from the LDAP entry viewer (v3.05) Add new attribute Add new value Edit existing value Delete attribute or specific value (Improved in v3.4) Delete entry Reload entry Following value editors are available: - Boolean - Integer/Large Integer - Generalized Time - AD Date/Time based on Large Integer - Simple string editor - Syntax hightlightning (v3.6) - DN editor (v3.2) - Photo attributes editor - view and upload images (v3.4) * LDAP Browser functionality in beta stage found in Beta->Browser (v3.2) - Favorites functionality in beta stage in the LDAP Browser (v3.4) - "Open in LDAP Browser" right click menu on DN (v3.6) * View binary attributes in Hex viewer - read only (v3.05) * Converter tool (v3.68) - Base64 decoding - AD GUID convert to IDM association format and Office 365 ImmutableId format. * View as another user (v3.70) - Use the main search window to find an object, right click and choose View as another user, select the user you want to view the object as. - Requires that the LDAP server supports the Proxied Authorization control (2.16.840.1.113730.3.4.18) Tips and tricks --Binding to AD with the objectGUID-- Use the GUID in the following format as the bind DN instead of a regular DN: {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} More info: https://msdn.microsoft.com/en-us/library/cc223499.aspx Console2 use Java libraries from: * Novell - JLDAP (https://www.novell.com/developer/ndk/ldap_classes_for_java.html) / (http://www.openldap.org/jldap/) - DirXML (https://www.netiq.com/documentation/identity-manager-developer/driver-developer-kit.html) - NMAS (https://www.novell.com/developer/ndk/novell_modular_authentication_service.html) * UnboundID LDAP SDK (https://github.com/pingidentity/ldapsdk) * Jasypt (http://www.jasypt.org/) * Apache (http://apache.org/) * SLF4J (https://www.slf4j.org/) * Logback (https://logback.qos.ch/) * RSyntaxTextArea (https://github.com/bobbylight/RSyntaxTextArea) Thanks to: Novell, NetIQ, UnboundID, Jasypt, Apache, SLF4J, Logback, RSyntaxTextArea! Changelog format inspired by Novell PWM: http://www.novell.com/communities/node/12216/pwm-v155 Uses icons from http://www.oxygen-icons.org/ and http://www.aha-soft.com/ All free icons listed on this page are licensed under a Creative Commons Attribution-Share Alike 3.0 License. This means that you can freely use these icons for any personal and commercial purposes (software interfaces, online services, blogs, templates etc.). However, you should include a link to www.aha-soft.com in your credits. Uses icons from http://p.yusukekamiyamane.com/ licensed under the Attribution 3.0 Unported (CC BY 3.0) (http://creativecommons.org/licenses/by/3.0/) Uses icons from the Open Icon Library http://openiconlibrary.sourceforge.net/LICENSES.html License: Charityware You may not sell this software. ********************************************************************* THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. *********************************************************************