6.7. ldappasswd

Use ldappasswd to set or change user passwords in Directory Server.

Syntax

ldappasswd [ options ] [ user ]

user is the authentication identity, typically a DN. If not specified, the distinguished name specified by the -D option (bind name) is used.

ldappasswd-specific Options

Option	Description
`-A`	Specifies that the command should prompt for the user's existing password.
`-a`	Specifies the user's existing password. For example: -a `old_password`
`-S`	Specifies that the command should prompt for a new password for the user.
`-s`	Specifies a new password for the user. For example: -S `new_password`
`-T`	Specifies a file from which to read the new password. For example: -T `new_password.txt`
`-t`	Specifies a file from which to read the user's existing password. For example: -t `old_password.txt`
`-w`	Specifies the password associated with the distinguished name specified in the `-D` option. For example: -w `mypassword`

Table 6.18. ldappasswd-specific Options

General ldappasswd Options

NOTE

The ldappasswd utility requires confidentiality. If the messages are not encrypted with SSL, TLS, or an appropriate SASL mechanism, the server will not perform the request.

Option	Description
`-3`	Specifies that hostnames should be checked in SSL certificates.
`-D`	Specifies the distinguished name with which to authenticate to the server. This value must be a DN recognized by the Directory Server, and it must also have the authority to delete the entries. For example: -D "uid=bjensen, dc=example,dc=com" The `-D` option cannot be used with the `-N` option. For more information on access control, see the "Managing Access Control" chapter in the Directory Server Administration Guide.
`-g`	Specifies that the password policy request control not be sent with the bind request. By default, the new LDAP password policy request control is sent with bind requests. The `ldappasswd` tool can parse and display information from the response control if it is returned by a server; that is, the tool will print an appropriate error or warning message when a server sends the password policy response control with the appropriate value. The criticality of the request control is set to `false` to ensure that all LDAPv3 servers that do not understand the control can ignore it. To suppress sending of the request control with the bind request, include `-g` on the command-line.
`-h`	Specifies the name of the host on which the server is running. For example: -h cyclops The default is `localhost`.
`-I`	Specifies the SSL key password file that contains the token:password pair.
`-K`	Specifies the path, including the filename, of the private key database of the client. This can be the absolute or relative (to the server root) path. The `-K` option must be used when the key database is not called `key3.db` or when the key database is not in the same directory as the certificate database (that is, the `cert8.db` file, the path for which is specified with the `-P` option).
`-N`	Specifies the certificate name to use for certificate-based client authentication. For example: -N Server-Cert If this option is specified, then the `-Z` and `-W` options are required. If this option is specified, then the `-D` and `-w` options must not be specified, or certificate-based authentication will not occur, and the bind operation will use the authentication credentials specified by `-D` and `-w`.
`-P`	Specifies the absolute path, including the filename, of the certificate database of the client. This option is used only with the `-Z` option. When used on a machine where an SSL-enabled web browser is configured, the path specified on this option can be that of the certificate database for the browser. For example: -P /security/cert.db The client security files can also be stored on the Directory Server in the `/etc/dirsrv/slapd-instance_name` directory. In this case, the `-P` option would call out a path and filename similar to the following: -P /etc/dirsrv/slapd-`instance_name`/client-cert.db
`-p`	Specifies the port number that the server uses. The default is `389`. If `-Z` is used, the default is `636`.
`-Q`	Specifies the token and certificate name, which is separated by a semicolon (:) for PKCS11.
`-W`	Specifies the password for the certificate database identified on the `-P` option. For example: -W serverpassword
`-w`	Specifies the password associated with the distinguished name that is specified in the `-D` option. For example: -w diner892 The default is `""`, or anonymous. If a password is not sent on the command line and the server requires one, the command prompts for one. It is more secure not to provide a password on the command-line so that it does not show up in clear text in a listing of commands.
`-Z`	Specifies that SSL is to be used for the search request.
`-ZZ`	Specifies the Start TLS request. Use this option to make a cleartext connection into a secure one. If the server does not support Start TLS, the command does not need to be aborted; it will continue in cleartext.
`-ZZZ`	Enforces the Start TLS request. The server must respond that the request was successful. If the server does not support Start TLS, such as Start TLS is not enabled or the certificate information is incorrect, the command is aborted immediately.

Table 6.19. General ldappasswd Options

Examples

The following examples provide show how to perform various tasks using the ldappasswd command.

The Directory Manager changes the password of the user uid=tuser1,ou=People,dc=example,dc=com to new_password over SSL.

ldappasswd -Z -h myhost -P /etc/dirsrv/slapd-instance_name/cert8.db -D "cn=Directory Manager" 
     -w dmpassword -s new_password "uid=tuser1,ou=People,dc=example,dc=com"

Example 6.1. Directory Manager Changing a User's Password Over SSL

The Directory Manager generates the password of the user uid=tuser2,ou=People,dc=example,dc=com over SSL.

ldappasswd -Z -h myhost -P /etc/dirsrv/slapd-instance_name/cert8.db -D "cn=Directory Manager" 
     -w dmpassword "uid=tuser2,ou=People,dc=example,dc=com"

Example 6.2. Directory Manager Generating a User's Password

NOTE

For more information on newly-generated passwords, see the "Managing the Password Policy" section of the Directory Server Administration Guide.

A user, tuser3, changes the password from old_newpassword to new_password over SSL.

ldappasswd -Z -h myhost -P /etc/dirsrv/slapd-instance_name/cert8.db -D "uid=tuser3,pu=People,dc=example,dc=com" 
    -w old_password -a old_password -s new_password

Example 6.3. User Changing His Own Password

A user, tuser4, authenticates with the user certificate and changes the password to new_password over SSL.

ldappasswd -Z -h myhost -P /etc/dirsrv/slapd-instance_name/cert8.db -W dbpassword -N "uid=tuser4" 
      -K /etc/dirsrv/slapd-instance_name/key3.db -s new_password

Example 6.4. User Authenticating With a User Certificate and Changing His Password

A user, tuser5, authenticates with DIGEST-MD5 and changes the password to new_password.

ldappasswd -h myhost -o “mech=DIGEST-MD5” -o “authid=dn:uid=tuser5,ou=People,dc=example,dc=com” 
      -w old_password -s new_password

Example 6.5. User Authenticating with DIGEST_MD5 and Changing His Password

A user, who has already authenticated by Kerberos, prompts for the new password. This is not performed over SSL.

ldappasswd -h myhost -o "mech=GSSAPI" -S

6.7. ldappasswd

Syntax

ldappasswd-specific Options

Table 6.18. ldappasswd-specific Options

General ldappasswd Options

NOTE

Table 6.19. General ldappasswd Options

Examples

Example 6.1. Directory Manager Changing a User's Password Over SSL

Example 6.2. Directory Manager Generating a User's Password

NOTE

Example 6.3. User Changing His Own Password

Example 6.4. User Authenticating With a User Certificate and Changing His Password

Example 6.5. User Authenticating with DIGEST_MD5 and Changing His Password

Example 6.6. User Already Authenticating by Kerberos Prompts for a New Password