[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Antwort: Re: Changing User Password with ldappasswd

The thing works that way with my openldap 2.0.14 server and clients.  If 
you have another client, then you'd consult the man page.  BTW, the "-S" 
option instructs the program to ask the user to provide a new password in 
a way similar to passwd(1).  It's only a bit confusing that ldappasswd 
asks for the bind password (i.e. the old one) at the end.

For what reason you don't want users to enter their password from the 
terminal (i.e. not on the command line)?  Anyway, if user wants to change 
his password, he _must_ to provide it in some way, either by typing it 
interactively or supplying it on the command line.  For invoking 
ldappasswd means creating a new (and unrelated) connection to the server.

BTW, I had to include "ou=People" in the name:

$ ldappasswd -D "uid=ldapuser,ou=People,<the base dn>"

but that depends on your ldap directory structure.

Hope this helps.



To:     Dejan Muhamedagic/Austria/Contr/IBM@IBMAT
cc:     openldap-software@OpenLDAP.org 
Subject:        Antwort: Re: Changing User Password with ldappasswd

Hello Dejan,

sorry, but this did not work (first I dropped the -W because I DON'T want 
user to enter the ldap password)
The -S switch is unknown to my ldappasswd...

When I issue

ldappasswd -D 'cn=user, o=my organization, c=D' (either with our without 
filter "uid=userid")

I get an "insufficient access" message.


"Dejan Muhamedagic" <dejan.muhamedagic@at.ibm.com> on 2002-01-30 14:46:02

An:    thomas.emde@scaleon.de
Kopie: openldap-software@OpenLDAP.org
Thema: Re: Changing User Password with ldappasswd


You should use the user's DN and not the admin's DN:

ldappasswd -WS -D 'cn=user, o=my organization, c=D'

This way you'll bind to the server as the "user" and not as the admin.



Sent by:        owner-openldap-software@OpenLDAP.org
To:     openldap-software@OpenLDAP.org
Subject:        Changing User Password with ldappasswd


I try to change the attr userPassword of an ldap db entry being logged on
as the
user represented by the entry itself.
So when a user enters "ldappasswd -W -D 'cn=Admin, o=my organization, c=D'
'uid=userid'" he is asked for the rootpw
and afterwards can successfully change his password. But this is not what
intended because I don't want to tell my
users the rootpw of the ldap db.
my access control section in slapd.conf looks as follows:

access to dn=".*, o=my organization, c=D" attr=userPassword
        by self write
        by anonymous auth
        by dn="cn=Admin,o=my organization, c=D" write
        by * none

I understood that by specifying "...by self write..." every user who is
represented by a ldap entry should be able to modify
his attr userPassword WITHOUT having to know the rootpw.
Is this wrong? How can I get around with this?

best regards,