ldappasswordmodify — perform LDAP password modifications
ldappasswordmodify
This utility can be used to perform LDAP password modify operations in the Directory Server.
The ldappasswordmodify command takes the following options:
Command options:
-a | --authzID {authzID}Authorization ID for the user entry whose password should be changed. The authorization ID is a string having either the prefix "dn:" followed by the user's distinguished name, or the prefix "u:" followed by a user identifier that depends on the identity mapping used to match the user identifier to an entry in the directory. Examples include "dn:uid=bjensen,ou=People,dc=example,dc=com", and, if we assume that "bjensen" is mapped to Barbara Jensen's entry, "u:bjensen".
-c | --currentPassword {currentPassword}Current password for the target user.
-C | --currentPasswordFile {file}Path to a file containing the current password for the target user.
--connectTimeout {timeout}Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
Default: 30000
-F | --newPasswordFile {file}Path to a file containing the new password to provide for the target user.
-J | --control {controloid[:criticality[:value|::b64value|:<filePath]]}Use a request control with the provided information.
For some controloid values,
you can replace object identifiers with user-friendly strings.
The strings are listed here in lower case, but the case is not important.
You can use camelCase if you prefer, for example.
accountusable, accountusabilityAccount Usability Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.8
authzid, authorizationidentityAuthorization Identity Request Control, Object Identifier: 2.16.840.1.113730.3.4.16
effectiverights, geteffectiverightsGet Effective Rights Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.2
managedsaitManage DSAIT Request Control, Object Identifier: 2.16.840.1.113730.3.4.2
noop, no-opNo-Op Control, Object Identifier: 1.3.6.1.4.1.4203.1.10.2
pwpolicy, passwordpolicyPassword Policy Control, Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1
realattrsonly, realattributesonlyReal Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.17
subtreedelete, treedeleteSubtree Delete Request Control, Object Identifier: 1.2.840.113556.1.4.805
virtualattrsonly, virtualattributesonlyVirtual Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.19
-n | --newPassword {newPassword}New password to provide for the target user.
LDAP connection options:
-D | --bindDN {bindDN}DN to use to bind to the server.
Default:
-E | --reportAuthzIDUse the authorization identity control.
Default: false
-h | --hostname {host}The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.
Default: localhost.localdomain
-j | --bindPasswordFile {bindPasswordFile}Bind password file.
-K | --keyStorePath {keyStorePath}Certificate key store path.
-N | --certNickname {nickname}Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.
-o | --saslOption {name=value}SASL bind options.
-p | --port {port}Directory server port number.
Default: 389
-P | --trustStorePath {trustStorePath}Certificate trust store path.
-q | --useStartTLSUse StartTLS to secure communication with the server.
Default: false
-T | --trustStorePassword {trustStorePassword}Certificate trust store PIN.
-u | --keyStorePasswordFile {keyStorePasswordFile}Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.
-U | --trustStorePasswordFile {path}Certificate trust store PIN file.
--usePasswordPolicyControlUse the password policy request control.
Default: false
-w | --bindPassword {bindPassword}Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.
-W | --keyStorePassword {keyStorePassword}Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.
-X | --trustAllTrust all server SSL certificates.
Default: false
-Z | --useSSLUse SSL for secure communication with the server.
Default: false
Utility input/output options:
--noPropertiesFileNo properties file will be used to get default command line argument values.
Default: false
--propertiesFilePath {propertiesFilePath}Path to the file containing default property values used for command line arguments.
-v | --verboseUse verbose mode.
Default: false
General options:
-V | --versionDisplay Directory Server version information.
Default: false
-H | --helpDisplay this usage information.
Default: false
The command completed successfully.
ldap-errorAn LDAP error occurred while processing the operation.
LDAP result codes are described in RFC 4511. Also see the additional information for details.
An error occurred while parsing the command-line arguments.
You can use ~/.opendj/tools.properties
to set the defaults for bind DN, host name, and port number
as in the following example.
hostname=directory.example.com port=1389 bindDN=uid=kvaughan,ou=People,dc=example,dc=com ldapcompare.port=1389 ldapdelete.port=1389 ldapmodify.port=1389 ldappasswordmodify.port=1389 ldapsearch.port=1389
The following example demonstrates a user changing their own password.
$ cat /tmp/currpwd.txt /tmp/newpwd.txt bribery secret12 $ ldappasswordmodify -p 1389 -C /tmp/currpwd.txt --newPasswordFile /tmp/newpwd.txt \ -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery The LDAP password modify operation was successful