1LDAPPASSWD(1)               General Commands Manual              LDAPPASSWD(1)
2
3
4

NAME

6       ldappasswd - change the password of an LDAP entry
7

SYNOPSIS

9       ldappasswd   [-V[V]]  [-d debuglevel]  [-n]  [-v]  [-A]  [-a oldPasswd]
10       [-t oldpasswdfile]   [-S]   [-s newPasswd]   [-T newpasswdfile]    [-x]
11       [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost]
12       [-p ldapport]       [-e [!]ext[=extparam]]       [-E [!]ext[=extparam]]
13       [-o opt[=optparam]]  [-O security-properties]  [-I] [-Q] [-N] [-U auth‐
14       cid] [-R realm] [-X authzid] [-Y mech] [-Z[Z]] [user]
15

DESCRIPTION

17       ldappasswd is a tool to set the password of an LDAP  user.   ldappasswd
18       uses the LDAPv3 Password Modify (RFC 3062) extended operation.
19
20       ldappasswd sets the password of associated with the user [or an option‐
21       ally specified user].  If the new password is not specified on the com‐
22       mand  line  and  the  user doesn't enable prompting, the server will be
23       asked to generate a password for the user.
24
25       ldappasswd is neither designed nor intended to  be  a  replacement  for
26       passwd(1) and should not be installed as such.
27

OPTIONS

29       -V[V]  Print  version info.  If -VV is given, only the version informa‐
30              tion is printed.
31
32       -d debuglevel
33              Set the LDAP debugging level to debuglevel.  ldappasswd must  be
34              compiled with LDAP_DEBUG defined for this option to have any ef‐
35              fect.
36
37       -n     Do not set password. (Can be useful  when  used  in  conjunction
38              with -v or -d)
39
40       -v     Increase  the  verbosity  of  output.  Can be specified multiple
41              times.
42
43       -A     Prompt for old password.  This is used instead of specifying the
44              password on the command line.
45
46       -a oldPasswd
47              Set the old password to oldPasswd.
48
49       -t oldPasswdFile
50              Set the old password to the contents of oldPasswdFile.
51
52       -S     Prompt for new password.  This is used instead of specifying the
53              password on the command line.
54
55       -s newPasswd
56              Set the new password to newPasswd.
57
58       -T newPasswdFile
59              Set the new password to the contents of newPasswdFile.
60
61       -x     Use simple authentication instead of SASL.
62
63       -D binddn
64              Use the Distinguished Name binddn to bind to the LDAP directory.
65              For SASL binds, the server is expected to ignore this value.
66
67       -W     Prompt  for  bind  password.  This is used instead of specifying
68              the password on the command line.
69
70       -w passwd
71              Use passwd as the password to bind with.
72
73       -y passwdfile
74              Use complete contents of passwdfile as the password  for  simple
75              authentication.
76
77       -H ldapuri
78              Specify  URI(s) referring to the ldap server(s); only the proto‐
79              col/host/port fields are allowed; a list of  URI,  separated  by
80              whitespace or commas is expected.
81
82       -h ldaphost
83              Specify  an  alternate host on which the ldap server is running.
84              Deprecated in favor of -H.
85
86       -p ldapport
87              Specify an alternate TCP port where the ldap server  is  listen‐
88              ing.  Deprecated in favor of -H.
89
90       -e [!]ext[=extparam]
91
92       -E [!]ext[=extparam]
93
94              Specify  general extensions with -e and passwd modify extensions
95              with -E.  ´!´ indicates criticality.
96
97              General extensions:
98                [!]assert=<filter>    (an RFC 4515 Filter)
99                !authzid=<authzid>    ("dn:<dn>" or "u:<user>")
100                [!]bauthzid           (RFC 3829 authzid control)
101                [!]chaining[=<resolve>[/<cont>]]
102                [!]manageDSAit
103                [!]noop
104                ppolicy
105                [!]postread[=<attrs>] (a comma-separated attribute list)
106                [!]preread[=<attrs>]  (a comma-separated attribute list)
107                [!]relax
108                sessiontracking
109                abandon,cancel,ignore (SIGINT sends abandon/cancel,
110                or ignores response; if critical, doesn't wait for SIGINT.
111                not really controls)
112
113              Passwd Modify extensions:
114                (none)
115
116       -o opt[=optparam]]
117
118              Specify any ldap.conf(5) option or one of the following:
119                nettimeout=<timeout>  (in seconds, or "none" or "max")
120                ldif_wrap=<width>     (in columns, or "no" for no wrapping)
121
122
123       -O security-properties
124              Specify SASL security properties.
125
126       -I     Enable SASL Interactive mode.  Always  prompt.   Default  is  to
127              prompt only as needed.
128
129       -Q     Enable SASL Quiet mode.  Never prompt.
130
131       -N     Do not use reverse DNS to canonicalize SASL host name.
132
133       -U authcid
134              Specify  the authentication ID for SASL bind. The form of the ID
135              depends on the actual SASL mechanism used.
136
137       -R realm
138              Specify the realm of authentication ID for SASL bind.  The  form
139              of the realm depends on the actual SASL mechanism used.
140
141       -X authzid
142              Specify  the  requested authorization ID for SASL bind.  authzid
143              must be one of the following formats: dn:<distinguished name> or
144              u:<username>.
145
146       -Y mech
147              Specify  the  SASL  mechanism  to be used for authentication. If
148              it's not specified, the program will choose the  best  mechanism
149              the server knows.
150
151       -Z[Z]  Issue StartTLS (Transport Layer Security) extended operation. If
152              you use -ZZ, the command will require the operation to  be  suc‐
153              cessful
154

SEE ALSO

156       ldap_sasl_bind(3), ldap_extended_operation(3), ldap_start_tls_s(3)
157

AUTHOR

159       The OpenLDAP Project <http://www.openldap.org/>
160

ACKNOWLEDGEMENTS

162       OpenLDAP  Software  is developed and maintained by The OpenLDAP Project
163       <http://www.openldap.org/>.  OpenLDAP Software is derived from the Uni‐
164       versity of Michigan LDAP 3.3 Release.
165
166
167
168OpenLDAP 2.4.57                   2021/01/18                     LDAPPASSWD(1)
Impressum