Hello to all
When I activate the otp-overlay I can login with my userpassword and the 6 digit token. But how can I change the password with otp activ?
Without otp I do "passwd" then giving the old password and then the new password twice and the password is changed
With opt I have to give the old password+6-digit. If I only giving the password the server complains immediately that the password is wrong. When I'm giving the old password plus the 6-digit, the server accepts the password. Then I can give the new password twice, but then I'm getting the massage: Server-message: Old password not accepted.
So how can an user change his password via commandline with otp active?
Thanks
Stefan
On Thu, Apr 24, 2025 at 07:46:12PM +0200, Stefan Kania wrote:
Hello to all
When I activate the otp-overlay I can login with my userpassword and the 6 digit token. But how can I change the password with otp activ?
Without otp I do "passwd" then giving the old password and then the new password twice and the password is changed
With opt I have to give the old password+6-digit. If I only giving the password the server complains immediately that the password is wrong. When I'm giving the old password plus the 6-digit, the server accepts the password. Then I can give the new password twice, but then I'm getting the massage: Server-message: Old password not accepted.
So how can an user change his password via commandline with otp active?
Hi Stefan, there are 2 steps when running ldappasswd: - the bind (Old password+OTP) to authenticate the session (-w/-W) - the password modify against someone (presumably self) with "old password" (-a/-t) and "new password" (-s/-T) provided
Similar when other applications use this.
AFAIK the old-password data shouldn't have the OTP appended to it, should just be the user's current password, but I haven't checked this myself.
Regards,
Hi Ondřej,
changing the password with ldappasswd works as expected. I did a: ------------- u1-verw@ldap02:~$ ldappasswd -x -D cn=u1-verw,ou=users,ou=verwaltung,dc=example,dc=net -S -W New password: Re-enter new password: Enter LDAP Password: ------------- When entering the "LDAP Password" I'm giving "password+token" for the "New password" I'm only giving the new password without any token. After changing the password I can login with the new password+token. But with "passwd" I can't change the password if otp is used. Without otp changing the password works wir "passwd" only.
Am 25.04.25 um 14:53 schrieb Ondřej Kuzník:
On Thu, Apr 24, 2025 at 07:46:12PM +0200, Stefan Kania wrote:
Hello to all
When I activate the otp-overlay I can login with my userpassword and the 6 digit token. But how can I change the password with otp activ?
Without otp I do "passwd" then giving the old password and then the new password twice and the password is changed
With opt I have to give the old password+6-digit. If I only giving the password the server complains immediately that the password is wrong. When I'm giving the old password plus the 6-digit, the server accepts the password. Then I can give the new password twice, but then I'm getting the massage: Server-message: Old password not accepted.
So how can an user change his password via commandline with otp active?
Hi Stefan, there are 2 steps when running ldappasswd:
- the bind (Old password+OTP) to authenticate the session (-w/-W)
- the password modify against someone (presumably self) with "old password" (-a/-t) and "new password" (-s/-T) provided
Similar when other applications use this.
AFAIK the old-password data shouldn't have the OTP appended to it, should just be the user's current password, but I haven't checked this myself.
Regards,
openldap-technical@openldap.org
-
Ondřej Kuzník -
Stefan Kania