How to search for hidden objects in eDirectory 8.7.3

  • 7016429
  • 16-Apr-2015
  • 16-Apr-2015

Environment

Novell eDirectory 8.7.3 for NetWare 6.5
Novell NetWare 6.5 Support Pack 1

Situation

The most effective way to create a hidden container containing a hidden user that has tree wide rights is:
1. Create a user object for a temporary admin anywhere in the tree and give it explicit rights to root.
2. While logged in as this user create an OU low in the tree
3. Create a user object in this container then give this user full explicit rights to root and this container.
4. Create an IRF on this container masking all entry rights
5. Login as tree admin then delete the temp admin so there is no backlink to the hidden user.

The Cool Solutions hidden object locator used to look for all objects admin has no rights to.  Since this no longer works with newer version of eDir there are two alternatives.
The Cool Solution hidden object locator does not seem to work.
A secondary admin has created a hidden Organizational Unit which needs to be found.
How to search for hidden objects in eDirectory 8.7.3

Resolution

If Attribute Rights were not masked as well then an ldif search can be performed to find all objects with an inherited rights filter blocking all rights. 

- With the ldapsearch utiltiy use following command as a sample:
C:\novell\consoleone\1.2\bin>ldapsearch -h 137.65.214.96 -D cn=admin,o=emg -w novell -b o=emg "(ACL=0#subtree#[Inheritance Mask]#[Entry Rights])"

- Using a GUI, Java-based LDAP browser such as "LDAP Browser\Editor" by Jarek Gawor (http://www.iit.edu/~gawojar/ldap) use the following as a search example:
(ACL=0#subtree#[Inheritance Mask]#[Entry Rights])

This will return all objects with an IRF masking all entry rights.
If the Attribute rights have been masked as well then the best way to go about it is to search for an inconsitancy in the reported subordinates of a container or object.

To perform this search:
1. Using dsbrowse.nlm select Object Search and search for all (*) object names directly under a particular context with a class of Organizational Unit under an O or OU.  You will be returned a list of these along with a count.  Since this uses no authentication all ou's including those hidden are added to the total, ie., a count of 11.
2. Next go into iMonitor and perform the same search using the search icon at the top of the screen.  Since this uses an authenticated connection you will get a count one less than dsbrowse if there is a hidden container.  Simply match up the list given by both.  Dsbrowse will actually show the container in the list while iMonitor will not.

Additional Information

Formerly known as TID# 10094804
Formerly known as NOVL99091