3 min read time

Finding Duplicate GUIDs

by in Cybersecurity
The script works by taking the GUID of every object as present in the required LDIF taken for input. It creates a hash of arrays with those GUIDs as keys and the FQDNs (LDAP format) as the values in the array. At the end of the major processing it determines which of those arrays has more than one value (more than one DN per GUID). Then the script prints all the DNs for each GUID. For exact details, refer to the script source code.

Why Duplicate GUIDs?



What happens if you have duplicate guids? Duplicate GUIDs should not be possible in most situations. eDirectory by default creates a unique GUID (the 'U' in GUID is 'unique') for every object it has ever created. However, sometimes GUIDs will be duplicated when somebody is moving from very old servers (before NetWare 5.1) to new servers. Early versions of eDirectory did not have GUIDs, so in these cases they have to be generated for existing users, and in a few cases problems have been found. Also, if you have a misconfigured driver running in Identity Manager you could have GUIDs synchronize between trees creating duplicates. However, it would require the user to make some bad decisions for that to take place. If you have duplicate GUIDs in your tree then you could also have permissions issues in NSS (where a user is identified by a GUID) and synchronization issues with Identity Manager (where a user is uniquely identified in each tree by their GUID or other unique identifier).



About the LDAP Configuration



LDAP on the server needs to simply be active. On the server used for testing there is no explicit attribute mapping for GUID, but nldap apparently knows how to retrieve that attribute anyway. You will need sufficient rights for the LDAP query to work. Any LDAP server shipped with Novell eDirectory should be fine out of the box for the LDAP query to be run against.



The system running the eDirectory/LDAP server, as mentioned above, needs to be fairly plain and configured out of the box. Most custom changes should not be a problem as long as you do not map 'guid' to some other attribute in eDirectory. If you have eDirectory, you have LDAP by default installed and running. No extra packages, therefore, are needed as long as you have eDirectory, regardless of platform.



The LDAP search utility given as an example (from the Perl script) is available with any distribution of Linux/Unix and also comes as an .exe with ConsoleOne in the c:\novell\consoleone\1.2\bin (by default) directory. ICE from the NetWare server, iManager, or ConsoleOne would also be sufficient with the correct parameters. (Requesting GUID as an attribute is the only change to make from a default LDAP query).



ldapsearch Example



Running the following command (substituting the correct IP address and admin user for your system):



ldapsearch -h 151.155.132.170 -p 389 -D cn=admin,dc=users,dc=system -x -W GUID


will result in output similar to the following:



# extended LDIF
#
# LDAPv3
# base with scope sub
# filter: cn=test*
# requesting: GUID
#

# test00000, finance, novell, myorgs
dn: cn=test00000,ou=finance,o=novell,dc=myorgs
GUID:: CFpbaLrjhk kLGVOpYJzmg==

# test00001, finance, novell, myorgs
dn: cn=test00001,ou=finance,o=novell,dc=myorgs
GUID:: 0PtaPeapqUuLnkDrBrT5sA==

# test00002, finance, novell, myorgs
dn: cn=test00002,ou=finance,o=novell,dc=myorgs
GUID:: d FBlNq5qku0NvxZaCAFzA==

# test00003, finance, novell, myorgs
dn: cn=test00003,ou=finance,o=novell,dc=myorgs
GUID:: / 6rMv3yA0 iOqVl2mlH9g==

# test00004, finance, novell, myorgs
dn: cn=test00004,ou=finance,o=novell,dc=myorgs
GUID:: m0lG6vzLHUWyX0v71k6w Q==


Running the the Duplicate Guid Finder



To run the Duplicate Guid Finder, use the following LDIF command:



./dupeguid.pl output.ldif


That's all that's needed to run the attached Perl script. Your PC will also need to have Perl installed and working properly. If the box has issues with Perl, the command could be changed to:



perl dupeguid.pl output.ldif


Note that you can add Perl to a Windows machine by using a free download from:



http://www.activestate.com/Products/ActivePerl/


As a note, that company is not affiliated with Novell in any way.



Fixing the Duplicate GUIDs



Finally, the only fix for duplicate GUIDs is to recreate all but one of the objects sharing a GUID with another object. This is the sad truth about the issue.

Tags:

Labels: