- 浏览: 121240 次
- 性别:
- 来自: 武汉
最新评论
ldappasswordmodify
The ldappasswordmodify command modifies LDAP passwords.
Synopsis
ldappasswordmodify options
Description
The ldappasswordmodify command can be used to change or reset user passwords with the LDAP password modify extended operation as defined in RFC3062 .
Using this mechanism for changing user passwords offers a number of benefits over a simple LDAP modify operation targeted at the password attribute, including the following:
- Changing one's own password. The command allows a user to
change his own password even after it has expired, provided that this
capability is allowed in that user's password policy.
- Supplying clear-text password. The command provides a
mechanism for supplying the clear-text version of the current password
for further validation of the user's identity.
- Using authorization ID. When changing a user's password, the user can be specified by using an authorization ID (prefixed by dn:
or u:
) in addition to a full DN.
- Generating passwords. If a new password is not provided, then
the server can generate one for the user, provided that this capability
is allowed in that user's password policy.
Options
The ldappasswordmodify command accepts an option in either its short form (for example, -D bindDN ) or its long form equivalent (for example, --bindDN bindDN ).
Command Options
Specify an authorization ID for the user whose password is to be changed. The authorization ID can be in the form dn: followed by the DN of the target user, or u: followed by the user name of the target user. If this option is not provided, then no authorization ID will be included in the request and the password for the authenticated user will be changed. This option must not be used in conjunction with the --provideDNForAuthzID option.
Indicate that the bind DN should be used as the authorization ID for the password modify operation. This option must not be used in conjunction with the --authzID option.
Specify the current password for the user. It must not be used in conjunction with --currentPasswordFile . The user's current password must be provided in cases in which no authentication is performed, for example, if a user is trying to change his password after it has already expired. The password might also be required by the server based on the password policy configuration even if a bind password was provided.
Read the current password from the specified file. It must not be used in conjunction with --currentPassword . The user's current password must be provided in cases in which no authentication is performed, for example, if a user is trying to change his password after it has already expired. The password might also be required by the server based on the password policy configuration even if a bind password was provided.
Perform a search with the specified control in search requests sent to
the directory server. This option makes it possible to include
arbitrary request controls that the client cannot directly support. The
value for this option must be in the form:
oid[:criticality[:value|::b64value|:<fileurl]]
The elements of this value include:
Use the OID for the control. For certain types of controls, a text name may be used instead of the numeric OID (for search operations, this includes managedsait for the manage DSA IT control). This element is required. Human-readable names can be used in place of the OID to reference controls that do not require values using the -J or control option. These OID names are the following:
Use in place of the Account Usability Request Control OID: 1.3.6.1.4.1.42.2.27.9.5.8 (no value)
Use in place of the Authorization Identity Request Control OID: 2.16.840.1.113730.3.4.16 (no value)
Use in place of the Get Effective Rights Control OID: 1.3.6.1.4.1.42.2.27.9.5.2 (value = authorization ID)
Use in place of the Manage DSA IT Control OID: 2.16.840.1.113730.3.4.2 (no value)
Use in place of the LDAP No-op Control OID: 1.3.6.1.4.1.4203.1.10.2 (no value)
Use in place of the Password Policy Request OID: 1.3.6.1.4.1.42.2.27.8.5.1 (no value)
Use in place of the Subtree Delete Request Control OID: 1.2.840.113556.1.4.805 (no value)
If true , the control should be marked critical (meaning that the directory server should not process the operation unless it can meet the requirements of this control). If false , the control should not be marked critical. If this subcommand is not provided, then the control is not marked critical.
Specifies the value for the control. This form should only be used if the value can be expressed as a string. It must not be used in conjunction with either the :: b64value or :< fileurl forms. If none of these subcommands is present, then the control will not have a value.
Specifies the value for the control in base64-encoded form. This subcommand must not be used in conjunction with either the : value or :< fileurl forms. If none of these subcommands is present, then the control will not have a value.
Specifies a URL that references a file from which the value of the
control should be taken. It must not be used in conjunction with either
the :
value
or ::
b64value
forms. If none of these subcommands is present, then the control will not have a value.
For example, the value 1.3.6.1.4.1.42.2.27.9.5.2:true:dn:uid=dmiller,ou=people,dc=example,dc=com
will include a critical control with an OID of 1.3.6.1.4.1.42.2.27.9.5.2
, marked as critical (true), and with a string value for the authorization ID dn:uid=dmiller,ou=people,dc=example,dc=com
. Or, you can use the OID names: effectiverights:true:dn:uid=dmiller,ou=people,dc=example,dc=com
.
Specify the new password that should be assigned to the target user. This option must not be used in conjunction with --newPasswordFile . If neither of these options is provided, then the server will automatically generate a new password for the user, provided that a password generator is configured in the user's password policy.
Read the new password from the specified file that should be assigned to the target user. This option must not be used in conjunction with --newPassword . If neither of these options is provided, then the server will automatically generate a new password for the user, provided that a password generator is configured in the user's password policy.
LDAP Connection Options
Use the certificate for certificate-based client authentication.
Use the DN when binding to the directory server through simple authentication. If this option is not provided, then the --authzID option must be used to specify the authorization ID for the target user, and either the --currentPassword or --currentPasswordFile option must be provided to specify the current password for the user. (This mode of use will be required for users to change their passwords after the passwords have expired.)
Contact the directory server on the specified host name or IP address. If it is not provided, then a default address of localhost will be used.
Use the bind password in the specified file when authenticating to the directory server. The option is used for simple authentication, as well as for password-based SASL mechanisms such as CRAM-MD5, DIGEST-MD5, and PLAIN. It is not required if no authentication is to be performed. This option must not be used in conjunction with --bindPassword .
Use the client keystore certificate in the specified path for secure communication when using the SSL or the StartTLS extended operation. This option should only be necessary if the client needs to present a certificate to the directory server, for example, when using SASL EXTERNAL authentication.
Use the specified option when performing SASL authentication. Multiple SASL options can be provided by using this option multiple times, once for each option. See Using SASL Authentication for more information.
Contact the directory server at the specified port. If this option is not provided, then a default port of 389 will be used.
Use the client trust store certificate in the specified path for secure communication when using the SSL or the StartTLS extended operation. This option is not needed if --trustAll is used, although a trust store should be used when working in a production environment.
Use the StartTLS extended operation when communicating with the directory server. This option must not be used in conjunction with --useSSL .
Use the password needed to access the certificates in the client trust store. This option is only required if --trustStorePath is used and the specified trust store requires a password in order to access its contents (which most trust stores do not require). This option must not be used in conjunction with --trustStorePasswordFile .
Use the password in the specified file to access the certificates in the client keystore. This option is only required if --keyStorePath is used. This option must not be used in conjunction with --keyStorePassword .
Use the password in the specified file to access the certificates in the client trust store. This option is only required if --trustStorePath is used and the specified trust store requires a password in order to access its contents (most trust stores do not require this). This option must not be used in conjunction with --trustStorePassword .
Use the bind password when authenticating to the directory server. This option can be used for simple authentication as well as password-based SASL mechanisms. This option must not be used in conjunction with --bindPasswordFile . To prompt for the password, type -w - .
Use the password needed to access the certificates in the client keystore. This option is only required if --keyStorePath is used. This option must not be used in conjunction with --keyStorePasswordFile .
Trust any certificate that the directory server might present during SSL or StartTLS negotiation. This option can be used for convenience and testing purposes, but for security reasons a trust store should be used to determine whether the client should accept the server certificate.
Use the Secure Sockets Layer when communicating with the directory server. If SSL is to be used, then the --port option should be used to specify the server's secure port.
Command Input/Output Options
Indicate that a properties file will not be used to get the default command-line options.
Specify the path to the properties file that contains the default command-line options.
General Options
Display command-line usage information for the command and exit without making any attempt to run the command.
Display the version information for the directory server.
Examples
The following examples show how to use the directory server commands. You can use the commands on any UNIX, Linux, or Windows system that has at least the Java SE 5 (at least Sun version 1.5.0_08, preferably the latest version of Java SE 6) runtime environment installed on its target system. See OpenDS System Requirements for more information.
Example 99 Modifying Your User Password
The following command connects to the host (-h ) using port 1389 (-p ), specifies the authorization ID uid=abergin (-a ) of an administrator, specifies the user's current password file (-C ), and changes it with a new one specified in a new password file (-N ). For Windows platforms, use the file paths where your current and new passwords exist, respectively. For example, use -C \temp\currentPasswordFile and -N \temp\newPasswordFile .
$ ldappasswordmodify -h hostname -p 1389 -a "dn:uid=abergin,ou=People,dc=example,dc=com" \ -C /tmp/currentPasswordFile -N /tmp/newPasswordFile The LDAP password modify operation was successful
Example 100 Modifying and Generating a Password for Another User
The following command connects to the host (-h ) using port 1389 (-p ), specifies the bind DN (-D ), specifies the bind password file (-j ), and modifies and generates a password for another user (-a ) connecting over simple authentication. For Windows platforms, specify the file where the bind password file resides, for example, -j \temp\bindPasswordFile .
$ ldappasswordmodify -h hostname -p 1389 -D "cn=Directory Manager" -j /tmp/bindPasswordFile \ -a "dn:uid=abergin,ou=People,dc=example,dc=com" The LDAP password modify operation was successful Generated Password: blb44hjm
Example 101 Modifying a Password for Another User
The following command connects to the host (-h ) using port 1389 (-p ), specifies the bind DN (-D ), specifies the bind password file (-j ), and modifies the password with a new one (-N ) for another user (-a ) connecting over simple authentication. For Windows platforms, specify the bind password file (for example, -j \temp\bindPasswordFile ) and the new password file (for example, -N \temp\newPassword ).
$ ldappasswordmodify -h hostname -p 1389 -D "cn=Directory Manager" -j /tmp/bindPasswordFile \ -a "dn:uid=abergin,ou=People,dc=example,dc=com" -N /tmp/newPassword The LDAP password modify operation was successful
Exit Codes
An exit code of 0 indicates that the operation completed successfully. A nonzero exit code indicates that an error occurred during processing.
Using a CLI Properties File
The directory server supports the use of a properties file that passes in any default option values used with the ldappasswordmodify command. The properties file is convenient when working in different configuration environments, especially in scripted or embedded applications. See Using a Properties File With Server Commands for more information.
The following options can be stored in a properties file:
- authzID
- bindDN
- bindPassword
- bindPasswordFile
- currentPassword
- currentPasswordFile
- control
- hostname
- keyStorePassword
- keyStorePasswordFile
- keyStorePath
- newPassword
- newPasswordFile
- port
- provideDNForAuthzID
- trustAll
- trustStorePassword
- trustStorePasswordFile
- trustStorePath
- useSSL
- useStartTLS
Entries in the properties file have the following format:
toolname.propertyname=propertyvalue
For example:
ldappasswordmodify.ldapport=12345
Location
- UNIX and Linux: install-dir
/bin/ldappasswordmodify
- Windows: install-dir \bat\ldappasswordmodify.bat
相关推荐
本文详细介绍了如何将 Cognos 8.3 与 OpenDS-1.0.0 进行集成认证的过程,包括 OpenDS 的安装、配置 LDAP 服务、设置 Cognos 的匿名访问权限、重启 Cognos 服务以及使用 Java 代码添加、修改和查找 LDAP 用户的具体...
在下载并解压"OpenDS-2.3.0-build003.zip"后,您会得到一系列文件和目录,这些构成了OpenDS服务的基础组件。以下是一些可能包含的重要组成部分和相关的知识点: 1. **OpenDS Server**: 这是实际运行目录服务的主...
总的来说,OpenDS-1.2.0是一个强大且灵活的身份管理和目录服务解决方案,对于开发者而言,它不仅是一个工具,也是一个学习和研究LDAP及目录服务技术的平台。通过深入学习和实践,开发者可以提升自己的技能,并为组织...
### OpenDS-2.0官方Administration Guide 知识点概览 #### 一、OpenDS简介 OpenDS是由Sun Microsystems开发的一款开源LDAP(轻量级目录访问协议)服务器。它被设计为高度可扩展且易于管理,适用于企业级别的应用。...
OpenDS是一款开源的轻量级目录访问协议(LDAP)服务器,由Sun Microsystems发起并支持,自2008年6月12日发布了首个版本OpenDS-1.0.0以来,便受到了广泛的欢迎。它不同于传统的LDAP解决方案,如OpenLDAP等,OpenDS采用...
3. **集成James与OpenDS**:Apache James可以通过配置文件(如`james-server.conf`)连接到OpenDS LDAP服务器。你需要提供OpenDS服务器的URL、端口、管理员用户名和密码,以及可能需要的SSL/TLS设置。配置完成后,...
### OpenDS-2.0官方架构参考手册知识点详解 #### 一、OpenDS概述 **OpenDS** 是由 **SUN Microsystems** 开发的一款开源 **LDAP (Lightweight Directory Access Protocol)** 服务器。作为一款高性能、可扩展的企业...
OpenDS是一个开源,基于LDAP与DSML标准的directoryservice。directoryservice不仅包括DirectoryServer,还有其它与directory相关的基本service如:directoryproxy、virtualdirectory、namespacedistribution和数据...
标签"ldapbrowser"表示这是个浏览 LDAP 服务的工具,"gawor"是开发者的名称,"ldap连接工具"强调了其主要功能,而"opends工具"表明该软件已经过测试,兼容OpenDJ或OpenDS(OpenDNS)这样的开源目录服务软件。OpenDS...
我需要使用React测试,所以我对其进行了修复执照OpenDS.de配置的文件保留其许可证(GPL-v2)和版权breznak对这些代码的修改也保留了许可证openDS-oss开发人员提供的代码保留其许可证和版权(GPL-v2) 我的代码也保持...
OpenLDAP for Windows与LdapBrowser 282是开源LDAP(轻量级目录访问协议)在Windows环境下的实现和管理工具。OpenLDAP是一款强大的目录服务软件,它允许组织存储和检索用户、组、网络设备等对象的信息。LdapBrowser...
matlab如何敲代码OpenDS的自由 这是的open-source社区分支。 此存储库中的更改: 新的Cognitive load实验 在我们的GitHub存储库上促进了社区与开发人员的协作 预设的IDE(NetBeans)项目,安装更加方便 对上游代码的...
标题中的“opends60.lib VC++能用的x64版本”指的是OpenDS60库的一个特定构建,它是为Microsoft Visual C++ (VC++)编译器设计的,并且适用于64位(x64)操作系统。OpenDS60库通常与SQL Server 2000的开发工作有关,...
活动目录示例,如ApacheDS,OpenDS,OpenDJ和slapd,使用诸如jxplorer之类的工具 问-LDAP的同义词是什么? 一种 - Q-给它一些暗示 一种 - 问-什么是CN,DS,OpenDj,Slapd? 一种 - 问-什么是RDN,DN,OU,CN,DC...
该应用程序可用于标准 LDAPv3 目录(OpenLDAP、OpenDS、ApacheDS、Sun Oracle DSEE、Novell 等)和 Active Directory。 它具有以下特点: Samba 模式更改 Samba 密码活动目录模式本地密码策略: 最小/最大长度禁止...
开放式DS 开放数字样本 (openDS) 规范的主页。 openDS 仍处于开发的早期阶段,您可以在此存储库中跟踪其进展。入门为了帮助您入门,我们提供了。 您还可以在那里找到有关,以及其他几个常见问题文档。 openDS 数据...
OpenDS4All是一个旨在加速在学术机构中创建数据科学课程的项目。 尽管有很多在线资料可用于数据科学(包括在线课程),但我们认识到,让许多学生学习(以及让许多机构提供)内容的最佳方式是通过讲座,朗诵或课堂...