Hi!
I have a question: A user can change its password using the standard SSH Login. However one user with an expired password has a special shell that does not allow login (the user is logged out immediately). So I tried to use ldappasswd to change the password using this helper script:
#!/bin/sh SERVER='ldap://...' CONTEXT='dc=...' if [ -n "$1" ]; then DN="uid=${1},ou=people,$CONTEXT" MANAGER="$DN" echo "$MANAGER changing password for $DN" ldappasswd -H "$SERVER" -x -ZZ -D "$MANAGER","$CONTEXT" -W ${2:+-S }"$DN" else echo "$0: missing or empty username" >&2 exit 1 fi
So here the one to change the password is the user itself. When I use the script with just the username (set random password), I see: Enter LDAP Password: ldap_bind: Server is unwilling to perform (53) additional info: unauthenticated bind (DN with no password) disallowed
And when I call it with a second parameter (ask for password), I see: New password: Re-enter new password: Enter LDAP Password: ldap_bind: Invalid credentials (49)
I'm trying to understand: Does the user need special ACLs, or to I need additional parameters?
The essential ACLs for userPassword are: ... olcAccess: {4}to attrs=shadowLastChange,userPassword,userPKCS12 by dn.exact="uid=PW-Admin,ou=system,dc=..." write by * break ... olcAccess: {6}to attrs=userPassword,userPKCS12 by self write by * auth ... olcAccess: {8}to * by * read
If I use the PW-Admin account, I can change the password, however.
Kind regards, Ulrich Windl
On Mon, Aug 18, 2025 at 08:40:26AM +0000, Windl, Ulrich wrote:
Hi!
I have a question: A user can change its password using the standard SSH Login. However one user with an expired password has a special shell that does not allow login (the user is logged out immediately). So I tried to use ldappasswd to change the password using this helper script:
#!/bin/sh SERVER='ldap://...' CONTEXT='dc=...' if [ -n "$1" ]; then DN="uid=${1},ou=people,$CONTEXT" MANAGER="$DN" echo "$MANAGER changing password for $DN" ldappasswd -H "$SERVER" -x -ZZ -D "$MANAGER","$CONTEXT" -W ${2:+-S }"$DN" else echo "$0: missing or empty username" >&2 exit 1 fi
So here the one to change the password is the user itself. When I use the script with just the username (set random password), I see: Enter LDAP Password: ldap_bind: Server is unwilling to perform (53) additional info: unauthenticated bind (DN with no password) disallowed
And when I call it with a second parameter (ask for password), I see: New password: Re-enter new password: Enter LDAP Password: ldap_bind: Invalid credentials (49)
Hi Ulrich, `-D` says to bind (log in as) "$MANAGER","$CONTEXT", your users are unlikely to know that password, you should probably use "$DN" there.
Regards,
-----Original Message----- From: Ondřej Kuzník ondra@mistotebe.net Sent: Monday, August 18, 2025 11:42 AM To: Windl, Ulrich u.windl@ukr.de Cc: openldap-technical@openldap.org Subject: [EXT] Re: Understanding ldappasswd: ldap_bind: Invalid credentials (49)
On Mon, Aug 18, 2025 at 08:40:26AM +0000, Windl, Ulrich wrote:
Hi!
I have a question: A user can change its password using the standard SSH
Login.
However one user with an expired password has a special shell that does not allow login (the user is logged out immediately). So I tried to use ldappasswd to change the password using this helper
script:
#!/bin/sh SERVER='ldap://...' CONTEXT='dc=...' if [ -n "$1" ]; then DN="uid=${1},ou=people,$CONTEXT" MANAGER="$DN" echo "$MANAGER changing password for $DN" ldappasswd -H "$SERVER" -x -ZZ -D "$MANAGER","$CONTEXT" -W ${2:+-S
}"$DN"
else echo "$0: missing or empty username" >&2 exit 1 fi
So here the one to change the password is the user itself. When I use the script with just the username (set random password), I see: Enter LDAP Password: ldap_bind: Server is unwilling to perform (53) additional info: unauthenticated bind (DN with no password)
disallowed
And when I call it with a second parameter (ask for password), I see: New password: Re-enter new password: Enter LDAP Password: ldap_bind: Invalid credentials (49)
Hi Ulrich, `-D` says to bind (log in as) "$MANAGER","$CONTEXT", your users are unlikely to know that password, you should probably use "$DN" there.
[Windl, Ulrich] Actually $MANAGER == $DN (the script was modified from an original, where MANAGER was actually a user that could change the passwords of any user without knowing the old ones. Or did I miss something?
Kind regards, Ulrich
Regards,
-- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
openldap-technical@openldap.org
-
Ondřej Kuzník -
Windl, Ulrich