1LDAPPASSWD(1) General Commands Manual LDAPPASSWD(1)
2
3
4
6 ldappasswd - change the password of an LDAP entry
7
9 ldappasswd [-V[V]] [-d debuglevel] [-n] [-v] [-A] [-a oldPasswd]
10 [-t oldpasswdfile] [-S] [-s newPasswd] [-T newpasswdfile] [-x]
11 [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost]
12 [-p ldapport] [-e [!]ext[=extparam]] [-E [!]ext[=extparam]]
13 [-o opt[=optparam]] [-O security-properties] [-I] [-Q] [-N] [-U auth‐
14 cid] [-R realm] [-X authzid] [-Y mech] [-Z[Z]] [user]
15
17 ldappasswd is a tool to set the password of an LDAP user. ldappasswd
18 uses the LDAPv3 Password Modify (RFC 3062) extended operation.
19
20 ldappasswd sets the password of associated with the user [or an option‐
21 ally specified user]. If the new password is not specified on the com‐
22 mand line and the user doesn't enable prompting, the server will be
23 asked to generate a password for the user.
24
25 ldappasswd is neither designed nor intended to be a replacement for
26 passwd(1) and should not be installed as such.
27
29 -V[V] Print version info. If -VV is given, only the version informa‐
30 tion is printed.
31
32 -d debuglevel
33 Set the LDAP debugging level to debuglevel. ldappasswd must be
34 compiled with LDAP_DEBUG defined for this option to have any
35 effect.
36
37 -n Do not set password. (Can be useful when used in conjunction
38 with -v or -d)
39
40 -v Increase the verbosity of output. Can be specified multiple
41 times.
42
43 -A Prompt for old password. This is used instead of specifying the
44 password on the command line.
45
46 -a oldPasswd
47 Set the old password to oldPasswd.
48
49 -t oldPasswdFile
50 Set the old password to the contents of oldPasswdFile.
51
52 -S Prompt for new password. This is used instead of specifying the
53 password on the command line.
54
55 -s newPasswd
56 Set the new password to newPasswd.
57
58 -T newPasswdFile
59 Set the new password to the contents of newPasswdFile.
60
61 -x Use simple authentication instead of SASL.
62
63 -D binddn
64 Use the Distinguished Name binddn to bind to the LDAP directory.
65 For SASL binds, the server is expected to ignore this value.
66
67 -W Prompt for bind password. This is used instead of specifying
68 the password on the command line.
69
70 -w passwd
71 Use passwd as the password to bind with.
72
73 -y passwdfile
74 Use complete contents of passwdfile as the password for simple
75 authentication.
76
77 -H ldapuri
78 Specify URI(s) referring to the ldap server(s); only the proto‐
79 col/host/port fields are allowed; a list of URI, separated by
80 whitespace or commas is expected.
81
82 -h ldaphost
83 Specify an alternate host on which the ldap server is running.
84 Deprecated in favor of -H.
85
86 -p ldapport
87 Specify an alternate TCP port where the ldap server is listen‐
88 ing. Deprecated in favor of -H.
89
90 -e [!]ext[=extparam]
91
92 -E [!]ext[=extparam]
93
94 Specify general extensions with -e and passwd modify extensions
95 with -E. ´!´ indicates criticality.
96
97 General extensions:
98 [!]assert=<filter> (an RFC 4515 Filter)
99 !authzid=<authzid> ("dn:<dn>" or "u:<user>")
100 [!]bauthzid (RFC 3829 authzid control)
101 [!]chaining[=<resolve>[/<cont>]]
102 [!]manageDSAit
103 [!]noop
104 ppolicy
105 [!]postread[=<attrs>] (a comma-separated attribute list)
106 [!]preread[=<attrs>] (a comma-separated attribute list)
107 [!]relax
108 sessiontracking
109 abandon,cancel,ignore (SIGINT sends abandon/cancel,
110 or ignores response; if critical, doesn't wait for SIGINT.
111 not really controls)
112
113 Passwd Modify extensions:
114 (none)
115
116 -o opt[=optparam]]
117
118 Specify general options.
119
120 General options:
121 nettimeout=<timeout> (in seconds, or "none" or "max")
122 ldif-wrap=<width> (in columns, or "no" for no wrapping)
123
124 -O security-properties
125 Specify SASL security properties.
126
127 -I Enable SASL Interactive mode. Always prompt. Default is to
128 prompt only as needed.
129
130 -Q Enable SASL Quiet mode. Never prompt.
131
132 -N Do not use reverse DNS to canonicalize SASL host name.
133
134 -U authcid
135 Specify the authentication ID for SASL bind. The form of the ID
136 depends on the actual SASL mechanism used.
137
138 -R realm
139 Specify the realm of authentication ID for SASL bind. The form
140 of the realm depends on the actual SASL mechanism used.
141
142 -X authzid
143 Specify the requested authorization ID for SASL bind. authzid
144 must be one of the following formats: dn:<distinguished name> or
145 u:<username>.
146
147 -Y mech
148 Specify the SASL mechanism to be used for authentication. If
149 it's not specified, the program will choose the best mechanism
150 the server knows.
151
152 -Z[Z] Issue StartTLS (Transport Layer Security) extended operation. If
153 you use -ZZ, the command will require the operation to be suc‐
154 cessful
155
157 ldap_sasl_bind(3), ldap_extended_operation(3), ldap_start_tls_s(3)
158
160 The OpenLDAP Project <http://www.openldap.org/>
161
163 OpenLDAP Software is developed and maintained by The OpenLDAP Project
164 <http://www.openldap.org/>. OpenLDAP Software is derived from the Uni‐
165 versity of Michigan LDAP 3.3 Release.
166
167
168
169OpenLDAP 2.4.47 2018/12/19 LDAPPASSWD(1)