On Mon, Aug 18, 2025 at 08:40:26AM +0000, Windl, Ulrich wrote:
Hi!
I have a question: A user can change its password using the standard SSH Login. However one user with an expired password has a special shell that does not allow login (the user is logged out immediately). So I tried to use ldappasswd to change the password using this helper script:
#!/bin/sh SERVER='ldap://...' CONTEXT='dc=...' if [ -n "$1" ]; then DN="uid=${1},ou=people,$CONTEXT" MANAGER="$DN" echo "$MANAGER changing password for $DN" ldappasswd -H "$SERVER" -x -ZZ -D "$MANAGER","$CONTEXT" -W ${2:+-S }"$DN" else echo "$0: missing or empty username" >&2 exit 1 fi
So here the one to change the password is the user itself. When I use the script with just the username (set random password), I see: Enter LDAP Password: ldap_bind: Server is unwilling to perform (53) additional info: unauthenticated bind (DN with no password) disallowed
And when I call it with a second parameter (ask for password), I see: New password: Re-enter new password: Enter LDAP Password: ldap_bind: Invalid credentials (49)
Hi Ulrich, `-D` says to bind (log in as) "$MANAGER","$CONTEXT", your users are unlikely to know that password, you should probably use "$DN" there.
Regards,