OpenDS LDAP Client Utilities Commands -- ldappasswordmodify

ldappasswordmodify

The ldappasswordmodify command modifies LDAP passwords.

Synopsis

ldappasswordmodify options

Description

The ldappasswordmodify command can be used to change or reset user passwords with the LDAP password modify extended operation as defined in RFC3062 .

Using this mechanism for changing user passwords offers a number of benefits over a simple LDAP modify operation targeted at the password attribute, including the following:

• Changing one's own password. The command allows a user to change his own password even after it has expired, provided that this capability is allowed in that user's password policy.
  
• Supplying clear-text password. The command provides a mechanism for supplying the clear-text version of the current password for further validation of the user's identity.
  
• Using authorization ID. When changing a user's password, the user can be specified by using an authorization ID (prefixed by dn: or u: ) in addition to a full DN.
  
• Generating passwords. If a new password is not provided, then the server can generate one for the user, provided that this capability is allowed in that user's password policy.
  

Options

The ldappasswordmodify command accepts an option in either its short form (for example, -D bindDN ) or its long form equivalent (for example, --bindDN bindDN ).

Command Options

-a, --authzID authzID

Specify an authorization ID for the user whose password is to be changed. The authorization ID can be in the form dn: followed by the DN of the target user, or u: followed by the user name of the target user. If this option is not provided, then no authorization ID will be included in the request and the password for the authenticated user will be changed. This option must not be used in conjunction with the --provideDNForAuthzID option.

-A, --provideDNForAuthzID

Indicate that the bind DN should be used as the authorization ID for the password modify operation. This option must not be used in conjunction with the --authzID option.

-c, --currentPassword currentPassword

Specify the current password for the user. It must not be used in conjunction with --currentPasswordFile . The user's current password must be provided in cases in which no authentication is performed, for example, if a user is trying to change his password after it has already expired. The password might also be required by the server based on the password policy configuration even if a bind password was provided.

-C, --currentPasswordFile currentPasswordFile

Read the current password from the specified file. It must not be used in conjunction with --currentPassword . The user's current password must be provided in cases in which no authentication is performed, for example, if a user is trying to change his password after it has already expired. The password might also be required by the server based on the password policy configuration even if a bind password was provided.

-J, --control controloid[:criticality[:value|::b64value|:<fileurl]]

Perform a search with the specified control in search requests sent to the directory server. This option makes it possible to include arbitrary request controls that the client cannot directly support. The value for this option must be in the form:
oid[:criticality[:value|::b64value|:<fileurl]]
The elements of this value include:

oid

Use the OID for the control. For certain types of controls, a text name may be used instead of the numeric OID (for search operations, this includes managedsait for the manage DSA IT control). This element is required. Human-readable names can be used in place of the OID to reference controls that do not require values using the -J or control option. These OID names are the following:

accountusable or accountusability

Use in place of the Account Usability Request Control OID: 1.3.6.1.4.1.42.2.27.9.5.8 (no value)

authzid or authorizationidentity

Use in place of the Authorization Identity Request Control OID: 2.16.840.1.113730.3.4.16 (no value)

effectiverights

Use in place of the Get Effective Rights Control OID: 1.3.6.1.4.1.42.2.27.9.5.2 (value = authorization ID)

managedsait

Use in place of the Manage DSA IT Control OID: 2.16.840.1.113730.3.4.2 (no value)

noop or no-op

Use in place of the LDAP No-op Control OID: 1.3.6.1.4.1.4203.1.10.2 (no value)

pwpolicy or password policy

Use in place of the Password Policy Request OID: 1.3.6.1.4.1.42.2.27.8.5.1 (no value)

subtreedelete or treedelete

Use in place of the Subtree Delete Request Control OID: 1.2.840.113556.1.4.805 (no value)

criticality

If true , the control should be marked critical (meaning that the directory server should not process the operation unless it can meet the requirements of this control). If false , the control should not be marked critical. If this subcommand is not provided, then the control is not marked critical.

value

Specifies the value for the control. This form should only be used if the value can be expressed as a string. It must not be used in conjunction with either the :: b64value or :< fileurl forms. If none of these subcommands is present, then the control will not have a value.

b64value

Specifies the value for the control in base64-encoded form. This subcommand must not be used in conjunction with either the : value or :< fileurl forms. If none of these subcommands is present, then the control will not have a value.

fileurl

Specifies a URL that references a file from which the value of the control should be taken. It must not be used in conjunction with either the : value or :: b64value forms. If none of these subcommands is present, then the control will not have a value.
For example, the value 1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=dmiller,ou=people,dc=example,dc=com will include a critical control with an OID of 1.3.6.1.4.1.42.2.27.9.5.2 , marked as critical (true), and with a string value for the authorization ID dn:uid=dmiller,ou=people,dc=example,dc=com . Or, you can use the OID names: effectiverights:true:dn:uid=dmiller,ou=people,dc=example,dc=com .

-n, --newPassword newPassword

Specify the new password that should be assigned to the target user. This option must not be used in conjunction with --newPasswordFile . If neither of these options is provided, then the server will automatically generate a new password for the user, provided that a password generator is configured in the user's password policy.

-N, --newPasswordFile newPasswordFile

Read the new password from the specified file that should be assigned to the target user. This option must not be used in conjunction with --newPassword . If neither of these options is provided, then the server will automatically generate a new password for the user, provided that a password generator is configured in the user's password policy.

LDAP Connection Options

--certNickname nickname

Use the certificate for certificate-based client authentication.

-D, --bindDN bindDN

Use the DN when binding to the directory server through simple authentication. If this option is not provided, then the --authzID option must be used to specify the authorization ID for the target user, and either the --currentPassword or --currentPasswordFile option must be provided to specify the current password for the user. (This mode of use will be required for users to change their passwords after the passwords have expired.)

-h, --hostname address

Contact the directory server on the specified host name or IP address. If it is not provided, then a default address of localhost will be used.

-j, --bindPasswordFile bindPasswordFile

Use the bind password in the specified file when authenticating to the directory server. The option is used for simple authentication, as well as for password-based SASL mechanisms such as CRAM-MD5, DIGEST-MD5, and PLAIN. It is not required if no authentication is to be performed. This option must not be used in conjunction with --bindPassword .

-K, --keyStorePath keyStorePath

Use the client keystore certificate in the specified path for secure communication when using the SSL or the StartTLS extended operation. This option should only be necessary if the client needs to present a certificate to the directory server, for example, when using SASL EXTERNAL authentication.

-o, --saslOption name = value

Use the specified option when performing SASL authentication. Multiple SASL options can be provided by using this option multiple times, once for each option. See Using SASL Authentication for more information.

-p, --port port

Contact the directory server at the specified port. If this option is not provided, then a default port of 389 will be used.

-P, --trustStorePath trustStorePath

Use the client trust store certificate in the specified path for secure communication when using the SSL or the StartTLS extended operation. This option is not needed if --trustAll is used, although a trust store should be used when working in a production environment.

-q, --useStartTLS

Use the StartTLS extended operation when communicating with the directory server. This option must not be used in conjunction with --useSSL .

--trustStorePassword trustStorePassword

Use the password needed to access the certificates in the client trust store. This option is only required if --trustStorePath is used and the specified trust store requires a password in order to access its contents (which most trust stores do not require). This option must not be used in conjunction with --trustStorePasswordFile .

-u, --keyStorePasswordFile keyStorePasswordFile

Use the password in the specified file to access the certificates in the client keystore. This option is only required if --keyStorePath is used. This option must not be used in conjunction with --keyStorePassword .

-U, --trustStorePasswordFile trustStorePasswordFile

Use the password in the specified file to access the certificates in the client trust store. This option is only required if --trustStorePath is used and the specified trust store requires a password in order to access its contents (most trust stores do not require this). This option must not be used in conjunction with --trustStorePassword .

-w, --bindPassword bindPassword

Use the bind password when authenticating to the directory server. This option can be used for simple authentication as well as password-based SASL mechanisms. This option must not be used in conjunction with --bindPasswordFile . To prompt for the password, type -w - .

-W, --keyStorePassword keyStorePassword

Use the password needed to access the certificates in the client keystore. This option is only required if --keyStorePath is used. This option must not be used in conjunction with --keyStorePasswordFile .

-X, --trustAll

Trust any certificate that the directory server might present during SSL or StartTLS negotiation. This option can be used for convenience and testing purposes, but for security reasons a trust store should be used to determine whether the client should accept the server certificate.

-Z, --useSSL

Use the Secure Sockets Layer when communicating with the directory server. If SSL is to be used, then the --port option should be used to specify the server's secure port.

Command Input/Output Options

--noPropertiesFile

Indicate that a properties file will not be used to get the default command-line options.

--propertiesFilePath propertiesFilePath

Specify the path to the properties file that contains the default command-line options.

General Options

-?, -H, --help

Display command-line usage information for the command and exit without making any attempt to run the command.

-V, --version

Display the version information for the directory server.

Examples

The following examples show how to use the directory server commands. You can use the commands on any UNIX, Linux, or Windows system that has at least the Java SE 5 (at least Sun version 1.5.0_08, preferably the latest version of Java SE 6) runtime environment installed on its target system. See OpenDS System Requirements for more information.

Example 99 Modifying Your User Password

The following command connects to the host (-h ) using port 1389 (-p ), specifies the authorization ID uid=abergin (-a ) of an administrator, specifies the user's current password file (-C ), and changes it with a new one specified in a new password file (-N ). For Windows platforms, use the file paths where your current and new passwords exist, respectively. For example, use -C \temp\currentPasswordFile and -N \temp\newPasswordFile .

$ ldappasswordmodify -h hostname -p 1389 -a "dn:uid=abergin,ou=People,dc=example,dc=com" \
-C /tmp/currentPasswordFile -N /tmp/newPasswordFile

The LDAP password modify operation was successful

 

Example 100 Modifying and Generating a Password for Another User

The following command connects to the host (-h ) using port 1389 (-p ), specifies the bind DN (-D ), specifies the bind password file (-j ), and modifies and generates a password for another user (-a ) connecting over simple authentication. For Windows platforms, specify the file where the bind password file resides, for example, -j \temp\bindPasswordFile .

$ ldappasswordmodify -h hostname -p 1389 -D "cn=Directory Manager" -j /tmp/bindPasswordFile \
-a "dn:uid=abergin,ou=People,dc=example,dc=com"

The LDAP password modify operation was successful
Generated Password:  blb44hjm

 

Example 101 Modifying a Password for Another User

The following command connects to the host (-h ) using port 1389 (-p ), specifies the bind DN (-D ), specifies the bind password file (-j ), and modifies the password with a new one (-N ) for another user (-a ) connecting over simple authentication. For Windows platforms, specify the bind password file (for example, -j \temp\bindPasswordFile ) and the new password file (for example, -N \temp\newPassword ).

$ ldappasswordmodify -h hostname -p 1389 -D "cn=Directory Manager" -j /tmp/bindPasswordFile
\
-a "dn:uid=abergin,ou=People,dc=example,dc=com" -N /tmp/newPassword

The LDAP password modify operation was successful

 

Exit Codes

An exit code of 0 indicates that the operation completed successfully. A nonzero exit code indicates that an error occurred during processing.

Using a CLI Properties File

The directory server supports the use of a properties file that passes in any default option values used with the ldappasswordmodify command. The properties file is convenient when working in different configuration environments, especially in scripted or embedded applications. See Using a Properties File With Server Commands for more information.

The following options can be stored in a properties file:

• authzID
  
• bindDN
  
• bindPassword
  
• bindPasswordFile
  
• currentPassword
  
• currentPasswordFile
  
• control
  
• hostname
  
• keyStorePassword
  
• keyStorePasswordFile
  
• keyStorePath
  
• newPassword
  
• newPasswordFile
  
• port
  
• provideDNForAuthzID
  
• trustAll
  
• trustStorePassword
  
• trustStorePasswordFile
  
• trustStorePath
  
• useSSL
  
• useStartTLS
  

Entries in the properties file have the following format:

toolname.propertyname=propertyvalue

 

For example:

ldappasswordmodify.ldapport=12345

 

Location

• UNIX and Linux: install-dir /bin/ldappasswordmodify
  
• Windows: install-dir \bat\ldappasswordmodify.bat