6.4. Changing Passwords

OpenDJ Administration Guide
Chapter 6. Performing LDAP Operations

With the ldappasswordmodify command, authorized users can change and reset user passwords.

Example 6.19. Password Reset

The following example shows Kirsten Vaughan resetting Sam Carter's password. Kirsten has the appropriate privilege to reset Sam's password.

$ ldappasswordmodify
 --useStartTLS
 --port 1389
 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com"
 --bindPassword bribery
 --authzID "dn:uid=scarter,ou=people,dc=example,dc=com"
 --newPassword ChangeMe
The LDAP password modify operation was successful

	Tip
Whenever one user changes another user's password, OpenDJ considers it a password reset. That often means the user has to change her password again after the reset. If you want your application to change a user's password, rather than reset a user's password, have your application request the password change as the user whose password is changing. To change the password as the user, either bind as the user or use proxied authorization. For instructions on the latter, see the section on Configuring Proxied Authorization.

Tip

Whenever one user changes another user's password, OpenDJ considers it a password reset. That often means the user has to change her password again after the reset.

If you want your application to change a user's password, rather than reset a user's password, have your application request the password change as the user whose password is changing. To change the password as the user, either bind as the user or use proxied authorization. For instructions on the latter, see the section on Configuring Proxied Authorization.

You could also accomplish password reset with the following command, but set-password-is-reset is a hidden option, supported only for testing.

$ manage-account
 set-password-is-reset
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --targetDN uid=scarter,ou=people,dc=example,dc=com
 --operationValue true
Password Is Reset:  true

Example 6.20. Change Own Password

You can use the ldappasswordmodify command to change your password, as long as you know your current password.

$ ldappasswordmodify
 --port 1389
 --authzID "dn:uid=bjensen,ou=people,dc=example,dc=com"
 --currentPassword hifalutin
 --newPassword secret12
The LDAP password modify operation was successful

The same operation works for cn=Directory Manager.

$ ldappasswordmodify
 --port 1389
 --authzID "dn:cn=Directory Manager"
 --currentPassword password
 --newPassword secret12
The LDAP password modify operation was successful

Example 6.21. Passwords With Special Characters

OpenDJ expects passwords to be UTF-8 encoded (base64 encoded when included in LDIF).

$ echo $LANG
en_US.utf8
$ ldappasswordmodify
 --port 1389
 --bindDN uid=bjensen,ou=People,dc=example,dc=com
 --bindPassword hifalutin
 --currentPassword hifalutin
 --newPassword pàsswȏrd
The LDAP password modify operation was successful
$ ldapsearch
 --port 1389
 --bindDN uid=bjensen,ou=People,dc=example,dc=com
 --bindPassword pàsswȏrd
 --baseDN dc=example,dc=com
 "(uid=bjensen)" cn
dn: uid=bjensen,ou=People,dc=example,dc=com
userPassword: {SSHA}k0eEeCxj9YRXUp8yJn0Z/mwqe+wrcFb1N1gg2g==
cn: Barbara Jensen
cn: Babs Jensen

OpenDJ Administration GuideChapter 6. Performing LDAP Operations

6.4. Changing Passwords

OpenDJ Administration Guide
Chapter 6. Performing LDAP Operations