hi, Dan
       thanks for u answer.
    I still a little confused about it.
   I run the following command
    /opt/openldap/bin/ldappasswd -x -D "uid=bobliu,ou=it,dc=abc,dc=com" -W -S
New password:
Re-enter new password:
Enter LDAP Password:
Result: Insufficient access (50)

    when I run ldapsearch is ok.
 
 /opt/openldap/bin/ldapsearch -x -D "uid=bobliu,ou=it,dc=abc,dc=com" -W


 # bobliu, it, abc.com
dn: uid=bobliu,ou=it,dc=abc,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: bobliu
sn: fei
givenName: bobliu
cn: bobliu
displayName: bobliu
uidNumber: 10010
gidNumber: 10010
loginShell: /bin/bash
homeDirectory: /home/bobliu
mail: bobliu@abc.com
userPassword:: e3NzaGF9c1RLZW5oL2kxdmlocGw1NG55dUQybHA4ZldSM3o5RzIwdGZwSnc9PQ=
 =
 
  any advice. thanks

On 04/02/2015 01:40 AM, Dan White wrote:

On 03/31/15 17:47 +0800, rockwang wrote:

 access to attrs=userPassword
 by self write
 by anonymous auth
 by dn.base="cn=Manager,dc=abc,dc=com"
 by *  none

 access to *
             by self write
             by dn.base="cn=Manager,dc=abc,dc=com"
             by * read
             by * none

my question is user can't change his own password. I use following command
so I have different result.

<img />

when not add -x

<img />

Consult the manpage for ldappasswd. In the first case (simple bind) you did
not provide a binddn (-D). In the second case, you directed ldappasswd to
perform a SASL bind but did not correctly provide an authentication
identity, and the sasl mechanism negotiated could not derive one.

Hint: if using a simple bind, specify a full DN (with -D), and not a
uid.