On Fri, Apr 25, 2025 at 07:49:42PM +0200, Stefan Kania wrote:
Hi Ondřej,
changing the password with ldappasswd works as expected. I did a:
u1-verw@ldap02:~$ ldappasswd -x -D cn=u1-verw,ou=users,ou=verwaltung,dc=example,dc=net -S -W New password: Re-enter new password: Enter LDAP Password:
When entering the "LDAP Password" I'm giving "password+token" for the "New password" I'm only giving the new password without any token. After changing the password I can login with the new password+token. But with "passwd" I can't change the password if otp is used. Without otp changing the password works wir "passwd" only.
Yes, that sounds like a limitation how passwd deals with ldap especially when otp changes the meaning of how a Bind is processed. If you want to set pwdSafeModify, not sure if there's a way to make that work with the password modify extop.
If you don't insist on pwdSafeModify, there might be a way for passwd not to send the old password in the op?
Regards,