The issue I see with ldappasswd and shadow password attributes being used (in 2.4) is that after a password change the shadow attributes aren't updated (causing inconsistencies between password policy and shadow attributes regarding the time of password expiration). But most likely it does not affect you...
Kind regards, Ulrich Windl
-----Original Message----- From: Stefan Kania stefan@kania-online.de Sent: Monday, May 5, 2025 7:41 PM To: Ondřej Kuzník ondra@mistotebe.net Cc: openldap-technical@openldap.org Subject: [EXT] Re: changing password with otp active
Hi Ondřej,
Sorry, that it took me so long to answer, but here is a lot of work to do.
Now I set pwdSafeModify=FALSE and still passwd cant change the password if otp is active. So I think I must stay with ldappasswd.
Stefan
Am 29.04.25 um 12:58 schrieb Ondřej Kuzník:
On Fri, Apr 25, 2025 at 07:49:42PM +0200, Stefan Kania wrote:
Hi Ondřej,
changing the password with ldappasswd works as expected. I did a:
u1-verw@ldap02:~$ ldappasswd -x -D cn=u1-
verw,ou=users,ou=verwaltung,dc=example,dc=net -S -W
New password: Re-enter new password: Enter LDAP Password:
When entering the "LDAP Password" I'm giving "password+token" for the "New password" I'm only giving the new password without any token. After changing the password I can login with the new password+token. But with "passwd" I can't change the password if otp is used. Without otp changing the password works wir "passwd" only.
Yes, that sounds like a limitation how passwd deals with ldap especially when otp changes the meaning of how a Bind is processed. If you want to set pwdSafeModify, not sure if there's a way to make that work with the password modify extop.
If you don't insist on pwdSafeModify, there might be a way for passwd not to send the old password in the op?
Regards,
-- Stefan Kania Landweg 13 25693 St. Michaelisdonn
Es gibt keine WOLKE, nur die Computer fremder Leute