Hi Ondřej,
Sorry, that it took me so long to answer, but here is a lot of work to do.
Now I set pwdSafeModify=FALSE and still passwd cant change the password if otp is active. So I think I must stay with ldappasswd.
Stefan
Am 29.04.25 um 12:58 schrieb Ondřej Kuzník:
On Fri, Apr 25, 2025 at 07:49:42PM +0200, Stefan Kania wrote:
Hi Ondřej,
changing the password with ldappasswd works as expected. I did a:
u1-verw@ldap02:~$ ldappasswd -x -D cn=u1-verw,ou=users,ou=verwaltung,dc=example,dc=net -S -W New password: Re-enter new password: Enter LDAP Password:
When entering the "LDAP Password" I'm giving "password+token" for the "New password" I'm only giving the new password without any token. After changing the password I can login with the new password+token. But with "passwd" I can't change the password if otp is used. Without otp changing the password works wir "passwd" only.
Yes, that sounds like a limitation how passwd deals with ldap especially when otp changes the meaning of how a Bind is processed. If you want to set pwdSafeModify, not sure if there's a way to make that work with the password modify extop.
If you don't insist on pwdSafeModify, there might be a way for passwd not to send the old password in the op?
Regards,