`
li.feixiang
  • 浏览: 121240 次
  • 性别: Icon_minigender_1
  • 来自: 武汉
社区版块
存档分类
最新评论

OpenDS LDAP Client Utilities Commands -- ldappasswordmodify

阅读更多

ldappasswordmodify

The ldappasswordmodify command modifies LDAP passwords.

Synopsis

ldappasswordmodify options

Description

The ldappasswordmodify command can be used to change or reset user passwords with the LDAP password modify extended operation as defined in RFC3062 .

Using this mechanism for changing user passwords offers a number of benefits over a simple LDAP modify operation targeted at the password attribute, including the following:

  • Changing one's own password. The command allows a user to change his own password even after it has expired, provided that this capability is allowed in that user's password policy.
  • Supplying clear-text password. The command provides a mechanism for supplying the clear-text version of the current password for further validation of the user's identity.
  • Using authorization ID. When changing a user's password, the user can be specified by using an authorization ID (prefixed by dn: or u: ) in addition to a full DN.
  • Generating passwords. If a new password is not provided, then the server can generate one for the user, provided that this capability is allowed in that user's password policy.

Options

The ldappasswordmodify command accepts an option in either its short form (for example, -D bindDN ) or its long form equivalent (for example, --bindDN bindDN ).

Command Options

-a, --authzID authzID

Specify an authorization ID for the user whose password is to be changed. The authorization ID can be in the form dn: followed by the DN of the target user, or u: followed by the user name of the target user. If this option is not provided, then no authorization ID will be included in the request and the password for the authenticated user will be changed. This option must not be used in conjunction with the --provideDNForAuthzID option.

-A, --provideDNForAuthzID

Indicate that the bind DN should be used as the authorization ID for the password modify operation. This option must not be used in conjunction with the --authzID option.

-c, --currentPassword currentPassword

Specify the current password for the user. It must not be used in conjunction with --currentPasswordFile . The user's current password must be provided in cases in which no authentication is performed, for example, if a user is trying to change his password after it has already expired. The password might also be required by the server based on the password policy configuration even if a bind password was provided.

-C, --currentPasswordFile currentPasswordFile

Read the current password from the specified file. It must not be used in conjunction with --currentPassword . The user's current password must be provided in cases in which no authentication is performed, for example, if a user is trying to change his password after it has already expired. The password might also be required by the server based on the password policy configuration even if a bind password was provided.

-J, --control controloid[:criticality[:value|::b64value|:<fileurl]]

Perform a search with the specified control in search requests sent to the directory server. This option makes it possible to include arbitrary request controls that the client cannot directly support. The value for this option must be in the form:
oid[:criticality[:value|::b64value|:<fileurl]]
The elements of this value include:

oid

Use the OID for the control. For certain types of controls, a text name may be used instead of the numeric OID (for search operations, this includes managedsait for the manage DSA IT control). This element is required. Human-readable names can be used in place of the OID to reference controls that do not require values using the -J or control option. These OID names are the following:

accountusable or accountusability

Use in place of the Account Usability Request Control OID: 1.3.6.1.4.1.42.2.27.9.5.8 (no value)

authzid or authorizationidentity

Use in place of the Authorization Identity Request Control OID: 2.16.840.1.113730.3.4.16 (no value)

effectiverights

Use in place of the Get Effective Rights Control OID: 1.3.6.1.4.1.42.2.27.9.5.2 (value = authorization ID)

managedsait

Use in place of the Manage DSA IT Control OID: 2.16.840.1.113730.3.4.2 (no value)

noop or no-op

Use in place of the LDAP No-op Control OID: 1.3.6.1.4.1.4203.1.10.2 (no value)

pwpolicy or password policy

Use in place of the Password Policy Request OID: 1.3.6.1.4.1.42.2.27.8.5.1 (no value)

subtreedelete or treedelete

Use in place of the Subtree Delete Request Control OID: 1.2.840.113556.1.4.805 (no value)

criticality

If true , the control should be marked critical (meaning that the directory server should not process the operation unless it can meet the requirements of this control). If false , the control should not be marked critical. If this subcommand is not provided, then the control is not marked critical.

value

Specifies the value for the control. This form should only be used if the value can be expressed as a string. It must not be used in conjunction with either the :: b64value or :< fileurl forms. If none of these subcommands is present, then the control will not have a value.

b64value

Specifies the value for the control in base64-encoded form. This subcommand must not be used in conjunction with either the : value or :< fileurl forms. If none of these subcommands is present, then the control will not have a value.

fileurl

Specifies a URL that references a file from which the value of the control should be taken. It must not be used in conjunction with either the : value or :: b64value forms. If none of these subcommands is present, then the control will not have a value.
For example, the value 1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=dmiller,ou=people,dc=example,dc=com will include a critical control with an OID of 1.3.6.1.4.1.42.2.27.9.5.2 , marked as critical (true), and with a string value for the authorization ID dn:uid=dmiller,ou=people,dc=example,dc=com . Or, you can use the OID names: effectiverights:true:dn:uid=dmiller,ou=people,dc=example,dc=com .

-n, --newPassword newPassword

Specify the new password that should be assigned to the target user. This option must not be used in conjunction with --newPasswordFile . If neither of these options is provided, then the server will automatically generate a new password for the user, provided that a password generator is configured in the user's password policy.

-N, --newPasswordFile newPasswordFile

Read the new password from the specified file that should be assigned to the target user. This option must not be used in conjunction with --newPassword . If neither of these options is provided, then the server will automatically generate a new password for the user, provided that a password generator is configured in the user's password policy.

LDAP Connection Options

--certNickname nickname

Use the certificate for certificate-based client authentication.

-D, --bindDN bindDN

Use the DN when binding to the directory server through simple authentication. If this option is not provided, then the --authzID option must be used to specify the authorization ID for the target user, and either the --currentPassword or --currentPasswordFile option must be provided to specify the current password for the user. (This mode of use will be required for users to change their passwords after the passwords have expired.)

-h, --hostname address

Contact the directory server on the specified host name or IP address. If it is not provided, then a default address of localhost will be used.

-j, --bindPasswordFile bindPasswordFile

Use the bind password in the specified file when authenticating to the directory server. The option is used for simple authentication, as well as for password-based SASL mechanisms such as CRAM-MD5, DIGEST-MD5, and PLAIN. It is not required if no authentication is to be performed. This option must not be used in conjunction with --bindPassword .

-K, --keyStorePath keyStorePath

Use the client keystore certificate in the specified path for secure communication when using the SSL or the StartTLS extended operation. This option should only be necessary if the client needs to present a certificate to the directory server, for example, when using SASL EXTERNAL authentication.

-o, --saslOption name = value

Use the specified option when performing SASL authentication. Multiple SASL options can be provided by using this option multiple times, once for each option. See Using SASL Authentication for more information.

-p, --port port

Contact the directory server at the specified port. If this option is not provided, then a default port of 389 will be used.

-P, --trustStorePath trustStorePath

Use the client trust store certificate in the specified path for secure communication when using the SSL or the StartTLS extended operation. This option is not needed if --trustAll is used, although a trust store should be used when working in a production environment.

-q, --useStartTLS

Use the StartTLS extended operation when communicating with the directory server. This option must not be used in conjunction with --useSSL .

--trustStorePassword trustStorePassword

Use the password needed to access the certificates in the client trust store. This option is only required if --trustStorePath is used and the specified trust store requires a password in order to access its contents (which most trust stores do not require). This option must not be used in conjunction with --trustStorePasswordFile .

-u, --keyStorePasswordFile keyStorePasswordFile

Use the password in the specified file to access the certificates in the client keystore. This option is only required if --keyStorePath is used. This option must not be used in conjunction with --keyStorePassword .

-U, --trustStorePasswordFile trustStorePasswordFile

Use the password in the specified file to access the certificates in the client trust store. This option is only required if --trustStorePath is used and the specified trust store requires a password in order to access its contents (most trust stores do not require this). This option must not be used in conjunction with --trustStorePassword .

-w, --bindPassword bindPassword

Use the bind password when authenticating to the directory server. This option can be used for simple authentication as well as password-based SASL mechanisms. This option must not be used in conjunction with --bindPasswordFile . To prompt for the password, type -w - .

-W, --keyStorePassword keyStorePassword

Use the password needed to access the certificates in the client keystore. This option is only required if --keyStorePath is used. This option must not be used in conjunction with --keyStorePasswordFile .

-X, --trustAll

Trust any certificate that the directory server might present during SSL or StartTLS negotiation. This option can be used for convenience and testing purposes, but for security reasons a trust store should be used to determine whether the client should accept the server certificate.

-Z, --useSSL

Use the Secure Sockets Layer when communicating with the directory server. If SSL is to be used, then the --port option should be used to specify the server's secure port.

Command Input/Output Options

--noPropertiesFile

Indicate that a properties file will not be used to get the default command-line options.

--propertiesFilePath propertiesFilePath

Specify the path to the properties file that contains the default command-line options.

General Options

-?, -H, --help

Display command-line usage information for the command and exit without making any attempt to run the command.

-V, --version

Display the version information for the directory server.

Examples

The following examples show how to use the directory server commands. You can use the commands on any UNIX, Linux, or Windows system that has at least the Java SE 5 (at least Sun version 1.5.0_08, preferably the latest version of Java SE 6) runtime environment installed on its target system. See OpenDS System Requirements for more information.

Example 99 Modifying Your User Password

The following command connects to the host (-h ) using port 1389 (-p ), specifies the authorization ID uid=abergin (-a ) of an administrator, specifies the user's current password file (-C ), and changes it with a new one specified in a new password file (-N ). For Windows platforms, use the file paths where your current and new passwords exist, respectively. For example, use -C \temp\currentPasswordFile and -N \temp\newPasswordFile .

$ ldappasswordmodify -h hostname -p 1389 -a "dn:uid=abergin,ou=People,dc=example,dc=com" \
-C /tmp/currentPasswordFile -N /tmp/newPasswordFile

The LDAP password modify operation was successful

 

Example 100 Modifying and Generating a Password for Another User

The following command connects to the host (-h ) using port 1389 (-p ), specifies the bind DN (-D ), specifies the bind password file (-j ), and modifies and generates a password for another user (-a ) connecting over simple authentication. For Windows platforms, specify the file where the bind password file resides, for example, -j \temp\bindPasswordFile .

$ ldappasswordmodify -h hostname -p 1389 -D "cn=Directory Manager" -j /tmp/bindPasswordFile \
-a "dn:uid=abergin,ou=People,dc=example,dc=com"

The LDAP password modify operation was successful
Generated Password:  blb44hjm

 

Example 101 Modifying a Password for Another User

The following command connects to the host (-h ) using port 1389 (-p ), specifies the bind DN (-D ), specifies the bind password file (-j ), and modifies the password with a new one (-N ) for another user (-a ) connecting over simple authentication. For Windows platforms, specify the bind password file (for example, -j \temp\bindPasswordFile ) and the new password file (for example, -N \temp\newPassword ).

$ ldappasswordmodify -h hostname -p 1389 -D "cn=Directory Manager" -j /tmp/bindPasswordFile
\
-a "dn:uid=abergin,ou=People,dc=example,dc=com" -N /tmp/newPassword

The LDAP password modify operation was successful

 

Exit Codes

An exit code of 0 indicates that the operation completed successfully. A nonzero exit code indicates that an error occurred during processing.

Using a CLI Properties File

The directory server supports the use of a properties file that passes in any default option values used with the ldappasswordmodify command. The properties file is convenient when working in different configuration environments, especially in scripted or embedded applications. See Using a Properties File With Server Commands for more information.

The following options can be stored in a properties file:

  • authzID
  • bindDN
  • bindPassword
  • bindPasswordFile
  • currentPassword
  • currentPasswordFile
  • control
  • hostname
  • keyStorePassword
  • keyStorePasswordFile
  • keyStorePath
  • newPassword
  • newPasswordFile
  • port
  • provideDNForAuthzID
  • trustAll
  • trustStorePassword
  • trustStorePasswordFile
  • trustStorePath
  • useSSL
  • useStartTLS

Entries in the properties file have the following format:

toolname.propertyname=propertyvalue

 

For example:

ldappasswordmodify.ldapport=12345

 

Location

  • UNIX and Linux: install-dir /bin/ldappasswordmodify
  • Windows: install-dir \bat\ldappasswordmodify.bat
分享到:
评论

相关推荐

    Cognos8.3与OpenDS-1.0.0集成认证.doc

    本文详细介绍了如何将 Cognos 8.3 与 OpenDS-1.0.0 进行集成认证的过程,包括 OpenDS 的安装、配置 LDAP 服务、设置 Cognos 的匿名访问权限、重启 Cognos 服务以及使用 Java 代码添加、修改和查找 LDAP 用户的具体...

    OpenDS-2.3.0-build003.zip

    在下载并解压"OpenDS-2.3.0-build003.zip"后,您会得到一系列文件和目录,这些构成了OpenDS服务的基础组件。以下是一些可能包含的重要组成部分和相关的知识点: 1. **OpenDS Server**: 这是实际运行目录服务的主...

    OpenDS-1.2.0.

    总的来说,OpenDS-1.2.0是一个强大且灵活的身份管理和目录服务解决方案,对于开发者而言,它不仅是一个工具,也是一个学习和研究LDAP及目录服务技术的平台。通过深入学习和实践,开发者可以提升自己的技能,并为组织...

    OpenDS-2.0官方Administration Guide

    ### OpenDS-2.0官方Administration Guide 知识点概览 #### 一、OpenDS简介 OpenDS是由Sun Microsystems开发的一款开源LDAP(轻量级目录访问协议)服务器。它被设计为高度可扩展且易于管理,适用于企业级别的应用。...

    OpenDS-1.2.0的windows下的安装配置文档.doc

    OpenDS是一款开源的轻量级目录访问协议(LDAP)服务器,由Sun Microsystems发起并支持,自2008年6月12日发布了首个版本OpenDS-1.0.0以来,便受到了广泛的欢迎。它不同于传统的LDAP解决方案,如OpenLDAP等,OpenDS采用...

    Apache James 3.0支持LDAP参考文档

    3. **集成James与OpenDS**:Apache James可以通过配置文件(如`james-server.conf`)连接到OpenDS LDAP服务器。你需要提供OpenDS服务器的URL、端口、管理员用户名和密码,以及可能需要的SSL/TLS设置。配置完成后,...

    OpenDS-2.0官方架构参考手册

    ### OpenDS-2.0官方架构参考手册知识点详解 #### 一、OpenDS概述 **OpenDS** 是由 **SUN Microsystems** 开发的一款开源 **LDAP (Lightweight Directory Access Protocol)** 服务器。作为一款高性能、可扩展的企业...

    OpenDS-2.2.1

    OpenDS是一个开源,基于LDAP与DSML标准的directoryservice。directoryservice不仅包括DirectoryServer,还有其它与directory相关的基本service如:directoryproxy、virtualdirectory、namespacedistribution和数据...

    Gawor_ldapbrowser_282

    标签"ldapbrowser"表示这是个浏览 LDAP 服务的工具,"gawor"是开发者的名称,"ldap连接工具"强调了其主要功能,而"opends工具"表明该软件已经过测试,兼容OpenDJ或OpenDS(OpenDNS)这样的开源目录服务软件。OpenDS...

    IoT-OpenDS:OpenDS原始开源叉的一个叉

    我需要使用React测试,所以我对其进行了修复执照OpenDS.de配置的文件保留其许可证(GPL-v2)和版权breznak对这些代码的修改也保留了许可证openDS-oss开发人员提供的代码保留其许可证和版权(GPL-v2) 我的代码也保持...

    OpenLDAPforWindows+LdapBrowser_282+OpenLdap使用手册

    OpenLDAP for Windows与LdapBrowser 282是开源LDAP(轻量级目录访问协议)在Windows环境下的实现和管理工具。OpenLDAP是一款强大的目录服务软件,它允许组织存储和检索用户、组、网络设备等对象的信息。LdapBrowser...

    matlab如何敲代码-openDS-oss:OpenDS.de汽车驾驶模拟器的镜像

    matlab如何敲代码OpenDS的自由 这是的open-source社区分支。 此存储库中的更改: 新的Cognitive load实验 在我们的GitHub存储库上促进了社区与开发人员的协作 预设的IDE(NetBeans)项目,安装更加方便 对上游代码的...

    opends60.lib VC++能用的x64版本

    标题中的“opends60.lib VC++能用的x64版本”指的是OpenDS60库的一个特定构建,它是为Microsoft Visual C++ (VC++)编译器设计的,并且适用于64位(x64)操作系统。OpenDS60库通常与SQL Server 2000的开发工作有关,...

    ldap:活动目录示例,如ApacheDS,OpenDS,OpenDJ和slapd,使用诸如jxplorer之类的工具

    活动目录示例,如ApacheDS,OpenDS,OpenDJ和slapd,使用诸如jxplorer之类的工具 问-LDAP的同义词是什么? 一种 - Q-给它一些暗示 一种 - 问-什么是CN,DS,OpenDj,Slapd? 一种 - 问-什么是RDN,DN,OU,CN,DC...

    self-service-password:在 LDAP 目录中更改和重置密码的 Web 界面

    该应用程序可用于标准 LDAPv3 目录(OpenLDAP、OpenDS、ApacheDS、Sun Oracle DSEE、Novell 等)和 Active Directory。 它具有以下特点: Samba 模式更改 Samba 密码活动目录模式本地密码策略: 最小/最大长度禁止...

    openDS:开放数字样本 (openDS) 规范之家

    开放式DS 开放数字样本 (openDS) 规范的主页。 openDS 仍处于开发的早期阶段,您可以在此存储库中跟踪其进展。入门为了帮助您入门,我们提供了。 您还可以在那里找到有关,以及其他几个常见问题文档。 openDS 数据...

    OpenDS4All:OpenDS4All项目,由LF AI&Data托管

    OpenDS4All是一个旨在加速在学术机构中创建数据科学课程的项目。 尽管有很多在线资料可用于数据科学(包括在线课程),但我们认识到,让许多学生学习(以及让许多机构提供)内容的最佳方式是通过讲座,朗诵或课堂...

Global site tag (gtag.js) - Google Analytics